Recommendation: The Chairman of the National Security Council, or his designee, should work with relevant federal entities to update strategy documents related to the nation's cybersecurity to better reflect desirable characteristics of a national strategy, to include:

• an assessment of cyber-related risk, based on an analysis of the threats to, and vulnerabilities of, critical assets and operations;

• measures of performance and formal mechanism to track progress of the execution of activities; and

• an analysis of the cost and resources needed to implement the National Cyber Strategy. (Recommendation 1)

Agency: Executive Office of the President: National Security Council
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation's cyber critical infrastructure, including the implementation of the National Cyber Strategy. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: When we determine what steps the Congress has taken, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 7)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 8)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should configure its CDM tools to compare configuration settings against federal core benchmarks and agency-specific variations applicable to its environment. (Recommendation 9)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools. (Recommendation 10)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 11)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should configure its CDM tools to compare configuration settings against federal core benchmarks applicable to its environment. (Recommendation 12)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 13)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 14)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should configure its CDM tools to compare configuration settings against agency-specific benchmarks applicable to its environment. (Recommendation 15)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should take steps to ensure that CMS, FBI, IRS, and SSA coordinate, where feasible, on assessments of state agencies' cybersecurity, which may include steps such as leveraging other agencies' security assessments or conducting assessments jointly. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, in collaboration with OMB, solicit input from FBI, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document CMS's rationale for maintaining any requirements variances.(Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 4)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should, in collaboration with OMB, solicit input from CMS, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 5)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 6)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 7)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The IRS Commissioner should, in collaboration with OMB, solicit input from CMS, FBI, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The IRS Commissioner should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should, in collaboration with OMB, solicit input from CMS, FBI, IRS, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document the SSA's rationale for maintaining any requirements variances. (Recommendation 10)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 11)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 12)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates Commerce's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 1)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer completes efforts to identify future telecommunications needs using a complete inventory of existing telecommunications services; conducts and documents a comprehensive strategic analysis at all bureaus to identify areas for optimization and sharing of telecommunications resources; evaluates the costs and benefits of implementing new telecommunications technology and alternative options at all bureaus; and fully aligns Commerce's telecommunications needs with its long-term IT plans and enterprise architecture. (Recommendation 2)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer finalizes the responsibilities related to the information security management role during the telecommunications transition, and assigns the roles for providing legal expertise during the transition, as well as for managing human capital, telecommunications assets, and information security during the transition, to staff members; describes how changes and disruptions related to the transition will be communicated to end users at all bureaus and identifies the key local and regional agency transition officials responsible for disseminating information about the transition to employees and working with the vendor to facilitate transition activities in Commerce's transition communications plan; and establishes and implements configuration and change management processes for its transition. (Recommendation 3)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer identifies all of the funding needed to support the telecommunications transition; justifies requests for resources related to transition program management staff; conducts an analysis to identify staff resources needed for the entire transition effort; and analyzes training needs for staff assisting with the transition. (Recommendation 4)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer takes into account the agency's telecommunications transition risks, mission critical systems, and contingency plans in Commerce's transition time line. (Recommendation 5)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer develops a policy that requires the agency's components to maintain an inventory of the telecommunications assets and services that they acquire independently from headquarters; updates the telecommunications inventory to include all telecommunications assets and services in use at HHS, and updates the agency's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 6)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer completes efforts to identify future telecommunications needs using a complete inventory of existing telecommunications services; and aligns HHS's telecommunications needs with its long-term IT plans. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer identifies and documents telecommunications transition roles and responsibilities related to (1) managing assets and human capital during the planning and execution phases of the transition and (2) providing legal expertise during the execution phase of the transition, and assigns the transition information security management role to a staff member; and establishes and implements configuration and change management processes for HHS's transition. (Recommendation 8)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer identifies all of the funding needed to support the telecommunications transition at each of the agency's components, justifies requests for transition resources related to hardware and software upgrades, conducts an analysis to identify staff resources needed for the entire transition effort, and analyzes training needs for staff assisting with the transition. (Recommendation 9)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer completes efforts to identify telecommunications transition measures of success that can be used to assess transition progress; and takes into account all of the agency's components, as well as its mission critical systems, contingency plans,and telecommunications transition risks, in HHS's transition time line. (Recommendation 10)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates State's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 11)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: he Secretary of State should ensure that the agency's Chief Information Officer completes efforts to identify the agency's future telecommunications needs using a complete inventory of existing telecommunications services; conducts and documents a strategic analysis to justify the sharing of telecommunications resources; and aligns State's telecommunications needs with its long-term IT plans and enterprise architecture. (Recommendation 12)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer identifies telecommunications transition roles and responsibilities related to (1) managing assets during the planning and execution phases of the transition and (2) providing legal expertise during the execution phase of the transition, and finalizes the responsibilities related to the information security management role for the transition; includes in State's transition communications plan the frequency with which transition status updates and meetings will occur throughout the transition, a description of how changes and disruptions related to the transition will be communicated to end-users, and the key local and regional agency transition officials responsible for disseminating information about the transition to employees and working with the vendor to facilitate transition activities; and establishes configuration management processes for the agency's transition. (Recommendation 13)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer identifies all of the funding needed to support the telecommunications transition, justifies requests for resources related to transition program management staff, conducts an analysis to identify staff resources needed for the entire transition effort, and finalizes its analysis of training needs for staff assisting with the transition. (Recommendation 14)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer takes into account the agency's telecommunications transition risks, mission critical systems, and contingency plans in State's transition time line. (Recommendation 15)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates and finalizes VA's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 16)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer completes efforts to identify future telecommunications needs using a complete inventory of existing telecommunications services, and determines and documents that VA's telecommunications needs are aligned with its long-term IT plans. (Recommendation 17)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer includes in its telecommunications transition communications plan the key local and regional agency officials responsible for disseminating information about the transition to employees and working with the vendor to facilitate transition activities; and establishes and uses cost and schedule management processes in the agency's transition. (Recommendation 18)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer identifies and documents all of the funding needed to support the telecommunications transition, including costs for all years of transition planning support; justifies requests for transition resources related to program management staff; conducts an analysis to identify staff resources needed for the entire transition effort; and analyzes training needs for staff assisting with the transition. (Recommendation 19)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer completes efforts to identify telecommunications transition measures of success that can be used to assess transition progress; and takes into account the agency's telecommunications transition risks, mission critical systems, and contingency plans in VA's transition time line. (Recommendation 20)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates NASA's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer completes efforts to identify the agency's future telecommunications needs using a complete inventory of existing telecommunications services. (Recommendation 22)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer identifies telecommunications transition roles and responsibilities related to (1) managing human capital during the planning and execution phases of the transition and (2) providing legal expertise during the execution phase of the transition. (Recommendation 23)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer conducts an analysis to support the anticipated cost savings identified as part of the agency's justification for its resource requests related to hardware and software upgrades for the telecommunications transition, and justifies its resource requests for transition program management staff; conducts an analysis to identify staff resources needed for the entire transition effort; and analyzes training needs for staff assisting with the transition. (Recommendation 24)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer takes into account the agency's mission critical systems and contingency plans in NASA's telecommunications transition time line. (Recommendation 25)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The Chairman of the NMB should document NMB's authorizations for its use of cloud services approved through FedRAMP and submit the authorizations to the FedRAMP Program Management Office. (Recommendation 1)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and said it would take action to address it, completing these actions by the end of fiscal year 2020.

Recommendation: The Chairman of the NMB should update NMB's security policies and procedures to include FedRAMP's authorization requirements. (Recommendation 2)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and said it would take action to address it, completing these actions by the end of fiscal year 2020.

Recommendation: The Chairman of the NMB should develop a written plan to document NMB's process for reviewing and monitoring the agency's annual appropriation to ensure that funds are used effectively. (Recommendation 3)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. Agency officials said they would take action to address it, but did not provide a time frame for completion.

Recommendation: The Chairman of the NMB should establish a process for the Board to effectively monitor and evaluate NMB's adherence to audit protocols and implementation of actions to address audit recommendations. (Recommendation 4)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. Agency officials said they would take action to address it, but did not provide a time frame for completion.

Recommendation: The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was in the process of revising its IT systems project planning to ensure the development and implementation of policies and procedure incorporating key cybersecurity activities. The agency also stated that it plans to hire an IT Security Project Manager in order to acquire the necessary cybersecurity expertise needed to implement this recommendation and to ensure that sufficient time and resources can be dedicated to the development and implementation of these policies and procedures. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing oversight procedures for each externally-operated system. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it had expanded the office's IT Director's role to formally include the functions of an IT Risk Executive and was in the process of establishing the roles and responsibilities. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing a cybersecurity risk management strategy. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that, once the position of IT Security Project Manager is filled and the IT Risk Executive functions are formalized, the agency is planning to commit to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. We will continue to monitor OCWR's progress in addressing this recommendation

Recommendation: The Secretary of Homeland Security should develop a strategy to independently validate selected agencies' self-reported actions on meeting binding operational directive requirements, where feasible, using a risk-based approach. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: DHS has drafted a preliminary strategy to independently validate agencies' actions, using a risk-based approach. However, this strategy has not yet been finalized and needs to more clearly align to the existing directive development process, to which it serves as an addendum. The strategy should include when and how primary and secondary sources of information for independent validation are selected within the directive development process.

Recommendation: The Secretary of Homeland Security should develop a schedule and plan for completing the high value asset program reassessment and addressing the outstanding issues on completing the required high value asset assessments, identifying needed resources, and finalizing guidance for Tier 2 and 3 HVA systems. (Recommendation 4)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should establish a process for monitoring and holding agencies accountable for authorizing cloud services through FedRAMP. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open
Priority recommendation

Comments: OMB neither agreed nor disagreed with this recommendation and as of September 2020, the office has not provided information on its actions to implement our recommendation. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies' compliance with using the program. According to an OMB Associate General Counsel, the agency does not have a mechanism for enforcing agencies' compliance with its guidance on FedRAMP. However, we believe that OMB can and should hold agencies accountable for complying with its policies. By implementing this recommendation, OMB could substantially improve participation in the FedRAMP program, which is intended to standardize security requirements for federal agencies' authorizations of cloud services. We will update the status of this recommendation when OMB provides information on its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. (Recommendation 2)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to improve the program's continuous monitoring process by allowing more automated capabilities, including for agencies to review documentation. (Recommendation 3)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update security plans for selected systems to include the description of security controls and reviews and approvals plan. (Recommendation 4)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 5)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the list of corrective actions for selected systems to identify the responsible office and estimated funding required and anticipated source of funding. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should develop guidance requiring that cloud service authorization letters be provided to the FedRAMP program management office. (Recommendation 7)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security plan for the selected system to identify the authorization boundary, the system operational environment and connections, a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 8)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 9)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the list of corrective actions for the selected system to identify the specific weaknesses, funding source, changes to milestones and completion dates, identified source of weaknesses, and status of corrective actions. (Recommendation 10)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status once CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the system security plans for selected systems to identify a description of security controls. (Recommendation 11)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the security assessment report for selected system to identify the summarized results of control effectiveness tests. (Recommendation 12)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update and document the CMS remedial action plan for the selected system to identify the anticipated source of funding. (Recommendation 13)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to prepare letters authorizing the use of cloud services for the selected systems and submit the letters to the FedRAMP program management office. (Recommendation 14)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update security plans for selected systems to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. (Recommendation 15)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the security assessment report for selected systems to identify summarized results of control effectiveness tests. (Recommendation 16)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the NIH list of corrective actions for selected systems to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. (Recommendation 17)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to submit the division's letters authorizing the use of cloud services for the selected systems to the FedRAMP program management office. (Recommendation 18)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Administrator of EPA should update security plan for the selected operational system to identify a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the list of corrective actions for the selected operational system to identify the specific weakness, estimated funding and anticipated source of funding, key remediation milestones with completion dates, changes to milestones and completion dates, and source of the weaknesses. (Recommendation 21)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking action to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should prepare the letter authorizing the use of cloud service for the selected operational system and submit the letter to the FedRAMP program management office. (Recommendation 22)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should develop guidance requiring that cloud service authorization letter be provided to the FedRAMP program management office. (Recommendation 23)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any additional evidence. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Secretary of Defense should ensure the department implements the pilot program by releasing at least 20 percent of newly custom-developed code as open source software (OSS). (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter provided to GAO, the 20 percent software release target is unlikely achievable due to the nature of code that is custom developed by the department. However, the department is mandated by law to implement the open source software pilot program established by the Office of Management and Budget's memorandum M-16-21. Releasing at least 20 percent of newly custom-developed code is a requirement of this program. GAO will continue to follow-up on the status of the pilot program.

Recommendation: The Secretary of Defense should ensure the department identifies a measure to calculate the percentage of code released to gauge its progress on implementing the pilot program. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially agreed with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter sent to GAO, the department intends to release updated guidance on the release of custom-developed code as open-source software and will include metrics. The department estimated that the updated policy will be completed in the 3rd quarter of fiscal year 2020. GAO will follow-up with the agency to obtain the status of the updated guidance.

Recommendation: The Director of OMB should expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: In January 2020, OMB officials stated that they have incorporated agency feedback for enhancing the CyberStat program into an updated concept of operations document that is currently in draft. To consider this recommendation fully implemented, OMB needs to provide us with an updated concept of operations document for the CyberStat program, and demonstrate the expansion of CyberStat review meetings to agencies that require additional assistance due to persistent information security deficiencies. As of September 2020, OMB has not provided sufficient evidence to close this recommendation.

Recommendation: The Director of OMB should collaborate with CIGIE to ensure that the inspector general reporting metrics include the FISMA-required information security program element for system security plans. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of September 2020, we were still waiting to receive OMB's 180-day letter detailing the actions it plans to take to address the recommendation.

Recommendation: The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan, which is to include a comprehensive Cybersecurity Strategy. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that its intends to evaluate whether there are any gaps in its cybersecurity policy pertaining to the establishment of an organization-wide cybersecurity risk assessment and will establish a plan to fill in gaps as necessary. The department added that it is making strides in the implementation of a tool that can aggregate data into a dashboard for a unified visibility across the department. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy concurred with this recommendation. As of January 2020, the department stated that it was developing a department-wide risk management plan, to include a risk management strategy, and this would be completed by May 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo that will detail its risk management strategy, including how the department will assess, respond to, and monitor risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services partially concurred with this recommendation. As of January 2020, HHS stated that it is in the process of updating its policies to address the missing elements and plans to finalize the revisions by March 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo and capability model that will include a process for an organization-wide assessment of cybersecurity risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department said it planned to develop a cybersecurity risk management strategy that will determine how cybersecurity risks will be identified, framed, assessed, respond to, and monitored. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it cybersecurity and enterprise risk management teams would establish a process for bi-directional communication and status reporting. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of January 2020, . the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of January 2020, the department stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions in fiscal year 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update its cybersecurity risk management strategy to include the identified missing elements. The Department estimated completing this effort by October 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment. The Department estimated completing this effort by July 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, the department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that it is establishing a process to review, update, and reissue its policies. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would establish a process for conducting an organization-wide cybersecurity risk assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of January 2020, the agency stated that it is working to address gaps in its cybersecurity policy. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with this recommendation. As of January 2020, NASA stated that the agency is in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment. NASA's planned completion date for this effort is September 30, 2020. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)

Agency: Office of Personnel Management
Status: Open

Comments: OPM concurred with this recommendation. As of January 2020, OPM stated that it planned to update its policies to address the missing elements. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with this recommendation. As of January 2020, the office stated that it planned to formalize its process for an organization-wide cybersecurity assessment. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: SBA concurred with this recommendation. As of January 2020, SBA stated that it intends to finalize its process for an agency-wide cybersecurity risk assessment by March 31, 2020. Once SBA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: SSA concurred with this recommendation. As of January 2020, SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams and that this process should be fully established by the third quarter of FY 2020. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the Centers for Medicare and Medicaid Services should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: HHS, on behalf of CMS, did not concur with this recommendation. In its February 2020 response to GAO, HHS stated that current NIST guidance to agencies was insufficient and that CMS would look forward to future guidance from NIST and OMB to help guide consideration of non-knowledge-based verification options. We continue to believe that our recommendation is valid because a variety of alternative methods to knowledge-based verification are available that CMS can consider to address the diverse population it serves. Further, NIST has agreed with our recommendation to develop additional guidance for agencies, and CMS may be able to use that guidance to identify a verification approach that does not really on knowledge-based techniques. We will continue to monitor the actions CMS may take to address the recommendation.

Recommendation: The Secretary of the Department of Veterans Affairs should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 6)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation. To fully implement this recommendation, VA needs to develop a plan with milestones to document the results of their evaluation of the alternatives the department stated it is interested in pursuing.

Recommendation: Congress should consider providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: No action has been taken on this matter as of December 2019.

Recommendation: The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said that it agreed with the intent of the recommendation, but did not agree to implement it, citing the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file. IRS reported that to effectively establish data safeguarding policies and implement strategies enforcing compliance with those policies, a centralized leadership structure requires the statutory authority that clearly communicates the authority of the IRS to do so. Without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources, according to IRS. We disagree that convening a governance structure or other centralized form of leadership would require additional statutory authority or be inefficient, ineffective, and costly. As discussed in the report, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination, such as updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports.

Recommendation: The Commissioner of Internal Revenue should modify the Authorized e-file Provider program's requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with this recommendation and would update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include security elements that are consistent with the FTC Safeguards Rule. IRS plans to update the publication by November 2020.

Recommendation: The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, IRS does not plan to implement it without additional statutory authority to require Authorized e-file Provider Program participants to comply with the NIST Special Publication 800-53. We continue to believe that under IRS's existing authority, IRS has already established some information security requirements for a portion of tax software providers, those that are online providers. IRS has the opportunity to further establish standards for all tax software providers by incorporating the subset of NIST controls into its Authorized e-file Provider program, which would capitalize on the work it has completed with the Security Summit members.

Recommendation: The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it will update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, with a formal memorandum to all internal stakeholders during the annual review process. IRS plans to take this action by November 2020.

Recommendation: The Commissioner of Internal Revenue should update IRS's monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, it does not plan to implement it. IRS reported it does not have the statutory authority to establish policy on information security and cybersecurity issues, nor to enforce compliance if noncompliance is observed. Additionally, IRS said that the specialized technical skills required to monitor compliance with information and cybersecurity standards, should statutory authority be granted, would require additional funding to meet those monitoring needs. However, as we reported, IRS already monitors physical aspects of information security, which goes beyond existing Authorized e-file Provider program requirements. Since most individuals now file tax returns electronically, having checks for physical security without comparable checks for cybersecurity does not address current risks, as cyber criminals and fraudsters are increasingly attacking third-party providers, as IRS has noted. We believe that incorporating some basic cybersecurity monitoring into the visits would provide IRS the opportunity to help inform the most vulnerable third-party providers of additional guidance and resources.

Recommendation: The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS's Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with the intent of this recommendation; however it does not plan to implement it. IRS stated that absent statutory authority and funding, an assessment of the different monitoring approaches is moot. We disagree with this conclusion. As discussed in the report, IRS does not systematically monitor the existing security requirements for online providers, nor does it conduct information security or cybersecurity monitoring for all types of Authorized e-file Providers. We believe that IRS could conduct a risk assessment of its current monitoring program within existing statutory authority and make necessary changes that would provide better assurance that all types of providers are receiving some level of oversight and that IRS is addressing the greatest risk areas appropriately.

Recommendation: The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it would develop a standardized process for all Authorized e-file Providers to report security incidents to IRS. IRS said it plans to update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include this standardized process by November 2020.

Recommendation: The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS agreed with this recommendation. In November 2019, IRS said it agreed with this recommendation with respect to the formal process for tax professionals to report data breaches to the IRS through the Stakeholder Liaison function within the Communications and Liaison organization. According to IRS, procedures are documented in the Data Breach Incident Reporting Instructions that are followed during the intake process. IRS said that upon completion, the breach information is disseminated to other offices within the IRS, depending on the nature of the breach incident reported. According to IRS, all 2018 and 2019 Tax Pro Data Breach incidents remain stored in the Data Breach module of the Return Preparer Database. We will follow up to confirm the information IRS described and determine if these procedures cover all of the IRS offices included in our report.

Recommendation: The Secretary of Commerce should direct the Director of the Census Bureau to direct the Census Bureau's Chief Information Officer (CIO) to take steps to ensure that identified corrective actions for cybersecurity weaknesses are implemented within prescribed time frames. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce agreed with our recommendation. It provided an action plan in August 2019. We will review the Bureau's progress in addressing this recommendation as part of our ongoing work on the 2020 Census.

Recommendation: The Secretary of Commerce should direct the Director of the Census Bureau to direct the Bureau's CIO to implement a formal process for tracking and executing appropriate corrective actions to remediate cybersecurity weaknesses identified by DHS, and expeditiously address the identified deficiencies. (Recommendation 2)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce agreed with our recommendation. In August 2019, the Bureau stated that it is developing a process for tracking and executing corrective actions identified by governing bodies and external entities. We will review the Bureau's progress in addressing this recommendation as part of our ongoing work on the 2020 Census.

Recommendation: The FEMA Administrator should ensure that the GMM program management office finalizes the organizational change management plan and time frames for implementing change management actions. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office updates the program schedule to address the leading practices for a reliable schedule identified in this report. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA Office of the Chief Information Officer (OCIO) defines sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA OCIO approves a security assessment plan before security assessment reviews are conducted. (Recommendation 6)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office follows DHS guidance on preparing corrective action plans for all security vulnerabilities. (Recommendation 7)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office fully tests all of its security controls for the system. (Recommendation 8)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The Director of CFPB should identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold. (Recommendation 1)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they have reviewed state CRA registration information available to them, are working to obtain additional state registration information, and are exploring additional ways to leverage the information. GAO will continue to monitor CFPB's progress in leveraging additional sources of information that would help identify larger participant CRAs.

Recommendation: The Director of CFPB should assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks. (Recommendation 2)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they were assessing whether, and if so, how and when, to incorporate data security risks into their supervisory prioritization. As part of that evaluation, CFPB is assessing whether those processes should incorporate data security risks CRAs pose to consumers in light of the agency's statutory authorities, supervisory responsibilities, and resources. GAO will continue monitoring CFPB's assessment of prioritization of CRA data security risks.

Recommendation: Congress should consider providing the Federal Trade Commission with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: As of July 2020, Congress has not passed legislation to provide FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act.

Recommendation: The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: The Secretary of DHS should direct the appropriate staff to work with OMB to follow up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS provided evidence in December 2019 but it was insufficient to close this recommendation. We will continue to follow-up with DHS.

Recommendation: The Director of OMB should submit the intrusion assessment plan to the appropriate congressional committees. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should report on implementation of the defense-in-depth strategy described in the intrusion assessment plan, including all elements described in the plan. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should update the analysis of agencies' intrusion detection and prevention capabilities to include the degree to which agencies are using NCPS. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to update her report to Congress to include required information, such as detecting advanced persistent threats, a comparison of the costs and benefits of the capabilities versus commercial technologies and tools, and the capability of agencies to protect sensitive cyber threat indicators and defense measures. (Recommendation 6)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to work with DHS to follow-up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 9)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Secretary of Education should enroll loan servicers in FSA's continuous monitoring program and, in the interim, require these entities to report the results of security controls testing at an FSA-defined frequency. (Recommendation 1)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and the agency stated that loan servicers are scheduled to be enrolled in its ongoing security authorization program beginning in fiscal year 2019. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should enroll private collection agencies in FSA's continuous monitoring program, and, in the interim, require these entities to test all controls at an FSA-defined frequency and regularly report the results. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: FSA stated that it concurred with this recommendation, but the actions it said it planned to take would not fully address it. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should modify FSA's agreements with guaranty agencies to specify a required baseline of security controls based on the impact level of the information shared with these agencies, as determined by FSA. (Recommendation 3)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and described planned actions to address it. In November 2019, FSA officials told us that this recommendation has a pending date of 5/31/2020 for completion When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should establish a process for continuous monitoring of guaranty agencies' implementation of security and privacy requirements between on-site assessments, to include testing all controls at an FSA-defined frequency and regularly reporting results. (Recommendation 4)

Agency: Department of Education
Status: Open

Comments: FSA partially concurred with this recommendation and described actions it planned to take in response. However, we believe the entire recommendation is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should include specific security and privacy requirements in agreements with the Federal Family Education Loan (FFEL) Program lenders based on FSA's categorization of the information shared with the lenders. (Recommendation 5)

Agency: Department of Education
Status: Open

Comments: FSA stated that it partially agreed with this recommendation; however, if effectively implemented, the planned actions it described would address this recommendation. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should develop policies and procedures to gain assurance that FFEL lenders have appropriate security and privacy controls in place and that these controls are being regularly tested and monitored. (Recommendation 6)

Agency: Department of Education
Status: Open

Comments: FSA did not concur with this recommendation. However, we believe it is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by documenting access authorizations for non-unique accounts. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by reviewing non-unique accounts at least annually, per IRS's policy. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Director of the Defense Security Service should determine how it will collaborate with stakeholders as it pilots a new approach to overseeing contractors with cleared facilities (DSS in Transition), including identifying roles and responsibilities and the related resources needed. (Recommendation 1)

Agency: Department of Defense: Defense Security Service
Status: Open

Comments: DOD agreed with this recommendation and as of February 2019, stated that it continues to pilot DSS in Transition at cleared facilities and use information gathered from stakeholders, including key government and industry stakeholder organizations to refine the process. On August 12, 2020, DOD stated that DSS was in the process of drafting a Corrective Action Plan. At that time, DOD officials explained that this plan would be completed in the fourth quarter of fiscal year 2019. As of September 2020, this plan has not been completed.

Recommendation: The Chairman of the National Mediation Board should develop and execute a plan to address the rail arbitration case backlog. (Recommendation 1)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and stated that it is examining the growing arbitration backlog and investigating steps the Board may take to reduce it. In particular, the agency noted that it is discussing proposals with stakeholders and formulating a plan to reduce the backlog in 2018.

Recommendation: The Chairman of the National Mediation Board should develop and implement policies for approval and monitoring of employee requests for outside employment and other outside activities to prevent violations of ethics rules, consistent with Office of Government Ethics standards of conduct and federal internal control standards. (Recommendation 2)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. The agency stated that it has taken significant steps to investigate this matter and has established new controls in order to prevent this type of activity in the future, including establishing a relationship with the IG of the National Labor Relations Board to operate a telephone hotline and email address for the reporting of suspected fraud, waste and abuse at NMB.

Recommendation: The Chairman of the National Mediation Board should complete and take actions on the organizational climate assessment and survey results as a means to address employee concerns. (Recommendation 3)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. The agency stated that the Board is concerned that the 2017 Federal Employee Viewpoint Survey revealed a level of dissatisfaction among NMB employees. It plans to conduct an Internal Climate Assessment in 2018 and agency looks forward to the opportunity to better understand and address any employee concerns.

Recommendation: The Chairman of the National Mediation Board should revise NMB's travel policy and develop appropriate internal controls to ensure compliance with federal requirements for travel. (Recommendation 4)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. The agency stated that it is in the process of reviewing the current travel policy, and will revise the policy to be in compliance with federal travel regulations as necessary.

Recommendation: The Chairman of the National Mediation Board should revise NMB's telework policy and develop appropriate internal controls to ensure compliance with federal requirements for telework. (Recommendation 5)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and stated that it will revise its telework policy and strengthen internal controls, as necessary.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially concurred with the recommendation. OPM has improved its POA&M management system. Using this system, the agency provided, on 08-27-19, milestones showing timely validation of evidence for closing one US-CERT recommendation. However, OPM has not provided support showing timely validation of 16 other US-CERT recommendations that it has closed. OPM needs to provide evidence of timely validation of these 16 completed recommendations, or evidence for the two US-CERT recommendations that remain open, once these two have been closed and validated. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with the recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop role-based training requirements for its continuous monitoring program, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to issue role-based training requirements for individuals who configure and maintain the deployed continuous diagnostics and mitigation tools. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.

Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, but the agency provided some evidence of its progress in implementing this recommendation. When IRS fully implements this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all eleven functions, DHS has measures that evaluate compliance with five (1, 2, 5, 6, 7) of the nine principles and considered whether measures and applicability were appropriate for the other four principles. In February 2020, DHS stated that it does not measure any functions' adherence with principle #8 related to safeguarding against unauthorized access or #9 regarding compliance with policies, regulations, and laws related to privacy and civil liberties. Specifically, the agency stated these two principles are a steady state consideration across all mission areas and functions and have no associated identified measure. For the remaining two principles, DHS did not provide measures that were related to prioritizing activities based on level of risk (#3) or ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs (#4). As such, DHS does not have appropriate means for assessing the eleven functions against those two principles. However, in March 2020, DHS stated that the metrics for 2020 were different than those in 2019. Officials are in the process of creating a mapping between the previously provided metrics and those for 2020. We will review this mapping and determine if the aforementioned is still applicable with the new metrics.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all 11 functions, DHS stated they have a means of evaluating compliance with five (1, 2, 5, 6, 7) of the nine principles. Once DHS provides specific evidence of data tracked in support of the aforementioned compliance measures, we will review to determine if they have closed this recommendation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

Agency: Department of Homeland Security
Status: Open

Comments: In March 2019, DHS said that they will provide GAO with a list of the entry points into the NCCIC service desk as well as the standard operating procedures (SOP) and process for quality assurance and quality control. Additionally, the development of the NCCIC Unified Workflow Solution (UWS) could impact this recommendation as well. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019, DHS stated that while no alerts or advisories are sent only to Section 9 entities, they do have various forms and mechanisms that Section 9 entities receive cybersecurity information: through HSIN Communities of Interest, the CISCP program, the applicable Sector Specific Agencies, and the applicable Section Information Sharing and Analysis Centers. Further analysis of the membership of the aforementioned forums and mechanisms is needed to determine the extent of Section 9 representation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019 DHS stated that the legacy Help Desk and operational activity tracking tools continue to be assessed and requirements identified for configuration into the Unified Workflow Solution (UWS). In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Commerce
Status: Open

Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. In November 2018 and November 2019 we followed-up with Commerce on the status of their efforts; however, as of January 2020, we had not received an update. We plan to continue to follow up with Commerce to monitor the status of these planned actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Energy
Status: Open

Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2020, which it expects will address the key practices. In December 2019, the department reported that it anticipates completing a refresh of its application inventory by the end of February 2020. We plan to monitor the department's efforts to implement the tools and to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Housing and Urban Development
Status: Open

Comments: We reported that the Department of Housing and Urban Development (HUD) partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that it is working to identify applications in field offices, and planned for this effort to be completed in fiscal year 2018. In addition, the department stated it planned to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department planned to conduct quarterly portfolio reviews starting in fiscal year 2018. In October 2018, HUD officials reported that CTO performed a technical assessment of HUD's IT assets, which resulted in identifying systems in the inventory that had been decommissioned and will be decommissioned. In addition, the department provided its strategy for performing the assessment. In August 2019, HUD reported that it completed an assessment of its legacy applications and the current inventory system is outdated. However, as of January 2020, HUD had not yet provided an updated inventory. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Social Security Administration
Status: Open

Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organizational components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations was in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems were continuing to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. In June 2019, SSA officials reported that they were continuing to make progress to update the inventory to include systems from all organizational components. However, as of January 2020, we had not received an updated inventory. We will continue to monitor SSA's efforts to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Labor
Status: Open

Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically, we reported that the department did not meet the practice to ensure that the inventory is regularly updated with quality controls to ensure reliability, and partially met the practices to (1) include business and enterprise IT systems, (2) include systems from all organizational components, and (3) specify basic application attributes. In March 2018, department officials provided an updated inventory, which included business and enterprise IT systems from all organizational components, and specified basic attributes, including the name, owner, and business function. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, at minimum annually, as part of the department's IT budgeting process. Further, in June 2019, officials reported that the department performs biannual reviews of all IT investments and associated systems and applications to verify reported data. The officials also reported that the department uses quality control processes and procedures to ensure consistent, standard, and complete reporting to align with all investment artifacts. However, the department did not provide evidence of these data quality efforts. In June 2019, officials also reported that the department is implementing a new system in order to maintain an ongoing comprehensive inventory of all IT assets, including applications, which it expects to have fully operational by the end of the second quarter of fiscal year 2020. We will continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of the Treasury
Status: Open

Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support. We followed up with the department to obtain this mapping. However, as of January 2020, the department had not provided it. We will continue to monitor the department's efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. Specifically, we reported that while the inventory included basic application attributes (e.g. name, description), it did not include the business function for the majority of inventory entries. Further, we reported that the agency did not provide evidence that quality control processes were in place to ensure the reliability of the data in the inventory. In July 2017, department officials stated that the department recently began a department-wide data call to obtain information on all IT assets and applications from each bureau, including aligning the assets and applications to a business function. Further, officials stated that they plan to analyze the results against their current data to ensure the accuracy and reliability of the IT asset inventory. In June 2019, the department provided evidence demonstrating that its inventory includes the business function for IT assets. In addition, State officials stated that the IT asset inventory that is posted internally for review is a high-level summary to facilitate monthly validation. However, as of January 2020, the department has not provided documentation showing that it has implemented the quality control processes to ensure the reliability of the data. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Environmental Protection Agency
Status: Open

Comments: We reported that the Environmental Protection Agency had fully met three of the four practices to establish a complete application inventory, and partially met one. Specifically, the agency partially met the practice for including application attributes in the inventory, as although EPA did not identify the business function for every application. In December 2019, Environmental Protection Agency officials stated that the inventory now requires the business function to be included, and provided inventory update instructions that show the business function is to be included. In addition, agency officials provided instructions for senior information managers to update the inventory in fiscal year 2019. However, as of January 2020, agency officials had not provided an updated inventory, and thus we were not able to verify that the business function was added for all applications. We will follow up with the agency to obtain the updated inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Office of Personnel Management
Status: Open

Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, November 2018, and November 2019, we followed up with OPM to obtain documentation of these reported actions; however, as of January 2020, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with our recommendation, noting, among other things, in its written response to our draft report, that a majority of the Enterprise Information Environment Mission Area systems are IT infrastructure, and not applications. However, we reported that the mission area nevertheless included a large number of enterprise and business IT applications which could benefit from rationalization, and we therefore believed our recommendation was still warranted. In March 2020, the department stated that it is formalizing a guide to assist components with implementing an application rationalization process, that will be used to rationalize the Enterprise Information Environment Mission Area systems. The department stated that it plans to perform annual reviews, and expects to start by the end of fiscal year 2020.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

Agency: Department of Labor
Status: Open

Comments: In February 2017, department officials stated that the department's portfolio of IT investments, which includes the systems, sub-systems, and applications in the IT asset inventory, are rationalized bi-annually as part of the Office of the Chief Information Officer's IT Capital Planning and Investment Control (CPIC) review processes. Further, officials stated that the systems and applications were also being rationalized as part of the process for updating the IT asset inventory. Officials stated that the department plans to review and update the department's CPIC guide to describe the IT asset inventory management process including the basic quality controls. In July 2019, officials reported that the department plans to have the updated guide completed by the end of fiscal year 2019. However, as of January 2020, the department had not provided documentation supporting these efforts. We plan to follow-up with the department to obtain documentation of its efforts to address the recommendation.

Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2020, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.

Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of Defense
Status: Open

Comments: In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation and is taking steps to implement it. The department stated that the issuance of an updated Cyber Incident Handling guidance is on track to be completed and coordinated in the third quarter of fiscal year 2018. As of June 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. When we confirm what actions DOD has taken, we will provide updated information.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with this recommendation. However, as of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. When we receive additional evidence from State, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. As of June 2020, NASA stated that the agency is working to update the relevant policy to address this recommendation, but the update is taking longer than expected; NASA expects the policy to be updated and the review process to be completed by November 30, 2020. We will examine the evidence when NASA provides it.

Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with the recommendation but has not yet provided sufficient evidence that it had implemented the recommendation. In particular, as of August 2020, the HHS Office for Civil Rights (OCR) has not yet reviewed the feasibility of performance measures as part of its audit program, and plans to do so only after implementing a future redesign of its audit program. We will continue to monitor HHS actions in response to this recommendation.

Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially agreed with this recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop requirements, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to complete its efforts to ensure that it provides and tracks training for individuals with significant security responsibilities. As of March 2020, OPM has not provided evidence that it has completed these actions.

Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation. The agency has conducted security control assessments for the two systems, but these assessments did not show that technical controls were comprehensively tested. According to VA, the agency will complete the next security control assessment in October 2019 and complete the system assessment report in December 2019. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to VA informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to OMB informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of IRS' FY 2019 financial statements, IRS indicated that it had not yet implemented this recommendation. When the agency indicates that it has implemented this recommendation, we will review its actions.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to define procedures for overseeing state-based marketplaces, to include day-to-day activities of the relevant offices and staff.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to require continuous monitoring of the privacy and security controls over state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

Agency: Congress
Status: Open

Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of July 2020, Congress had not granted NCUA this authority.

Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish procedures to monitor whether non-IRS contractors with unescorted physical access to IRS facilities are receiving unauthorized access awareness training.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During fiscal year 2018, Facilities Management and Security Services (FMSS) established training requirements for non-IRS contractors with unescorted physical access to IRS facilities and communicated these requirements to its employees. However, FMSS did not establish procedures to monitor whether these non-IRS contractors receive the required unauthorized access awareness training. In addition, during our fiscal year 2019 audit, we found instances in which non-IRS contractors with unescorted physical access to an IRS facility did not complete the required training.

Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to determine why staff did not consistently comply with IRS's existing requirements for the final candling of receipts at service center campuses and lockbox banks, including logging remittances found during final candling on the final candling log at the time of discovery, safeguarding the remittances at the time of discovery, transferring the remittances to the deposit unit promptly, and passing one envelope at a time over the light source, and based on this determination, establish a process to better enforce compliance with these requirements.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2017, IRS held a meeting with Submission Processing executives, staff, and the Receipt and Control Operation managers from all five service center campuses (SCC), and as a result of the meeting, IRS developed an action plan to resolve the residual risks associated with candling at the SCCs. IRS officials stated that during fiscal year 2020, it will complete the developed action plan.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, in August 2017 the Project Management Office finalized guidance for developing cost estimates that generally includes the key practices discussed in our report. However, none of the cost estimates for three key investments fully met the practices associated with a comprehensive estimate. In October 2019, the Library provided evidence of its Monte-Carlo risk assessment process. We are currently assessing whether this process is consistent with the practices found in our Cost Estimating and Assessment Guide. We will continue to evaluate the Library's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, in August 2017 the Project Management Offices finalized guidance for developing schedules that generally includes the key practices discussed in our report. However, none of the schedules for three key investments fully met the practices associated with a well-constructed schedule. In October 2019, the Library provided the schedules that it uses to manage select projects. We are currently reviewing this scheduling documentation to determine the extent to which the Library is implementing its scheduling guidance.

Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: During our audit of IRS's FY 2019 financial statements, , the agency submitted this recommendation for closure, but our testing determined it should remain open. Subsequently, IRS updated its anticipated closure date for the recommendation to July 2020. As part of our FY 2020 audit, we will continue to monitor IRS's progress in ensuring that its control testing methodology and results fully meet the intent of the control objectives being tested.

Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: During the audit of IRS's FY 2019 financial statements, the agency submitted this recommendation for closure, but our testing determined that it should remain open. While IRS continued to make positive steps to address our recommendation, the agency's implementation of corrective actions did not fully address it. As part of our FY 2020 audit, we will continue to monitor IRS's progress in strengthening its remedial action verification process and ensuring its corrective actions are fully implemented.

Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

Agency: Department of Veterans Affairs
Status: Open

Comments: Veterans Affairs concurred with the recommendation but as of June 2020 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.