Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish measures to determine if the department is succeeding in achieving its goal to improve its financial management systems. Specifically, it should document targets and time frames to define the level of performance to be achieved. It should also document how DOD plans to measure expected outcomes by identifying data sources, how it plans to measure values, and how DOD plans to verify and validate measured values. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish a specific time frame for developing an enterprise road map to implement its financial management systems strategy, and ensure that it is developed. The road map should document the current and future states at a high level, from an architecture perspective, and present a transition plan for moving from the current to the future in an efficient, effective manner. The road map should discuss performance gaps, resource requirements, and planned solutions, and it should map DOD's financial management systems strategy to projects and budget. The plan should also document the tasks, time frames, and milestones for implementing new solutions, and include an inventory of systems. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to develop detailed migration plans for the Air Force's General Accounting and Finance System-Reengineered, Navy's Standard Accounting and Reporting System, and Army's Standard Finance System and the Standard Operation and Maintenance Army Research and Development System. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish performance goals that include performance indicators, targets and time frames, to monitor the status of efforts to address IT-related audit findings. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to implement a mechanism for identifying financial management systems that support the preparation of the department's financial statements in the department's systems inventory and budget data, and identify a complete list of financial management systems. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to ensure that the department limits investments in financial management systems to only what is essential to maintain functioning systems and help ensure system security until it implements the other recommendations in this report. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should develop formal procedures that include specific steps to be taken in the APD review process, including how CMS will document the review (including the name of the reviewer, date of review, and what was reviewed); what documentation should be retained after the review; as well as decision-making criteria for approval or denial decisions for state Medicaid IT funding requests. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, as part of the APD review process and prior to approval, verify that all of the required information (e.g. alternatives analysis, feasibility study, and cost benefit analysis) is included in the funding request. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that all APD-related artifacts are retained within the designated CMS document management system, including documentation of key information from meetings and email communications with the states, the MITA self-assessment and independent verification and validation reports, when creating APD decision packages. (Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should require analysts to maintain relevant MMIS and E&E system artifacts based on the entire system life cycle instead of individual APDs. (Recommendation 4)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, in consultation with the HHS and CMS CIOs, develop a documented, comprehensive, and risk-based process for how CMS will select IT projects for technical assistance and provide recommendations to states to assist them in improving the performance of the systems, with consideration to those that are high-cost and performing poorly. (Recommendation 5)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should encourage state Medicaid program officials to consider involving state CIOs in overseeing Medicaid IT projects. (Recommendation 6)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish a timeline for implementing the outcome-based certification process for MMIS and E&E systems. (Recommendation 7)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish documented procedures for how the results of the outcome-based certification process will be used for conducting oversight and making funding decisions. The procedures should include specific steps that CMCS will take to oversee individual state MMIS and E&E projects and how it will demonstrate that the steps have been taken. (Recommendation 8)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Prior to approving funding for MMIS and E&E systems, the Administrator of CMS should identify areas of duplication or common functionality, such as core MMIS modules, in order to facilitate sharing, leveraging, or reusing Medicaid technologies. CMS should share the results of the review with the state or territory requesting federal funding for a duplicative or similar project and take steps to encourage states to share, leverage, or reuse Medicaid technologies, where possible. (Recommendation 9)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 7)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 8)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should configure its CDM tools to compare configuration settings against federal core benchmarks and agency-specific variations applicable to its environment. (Recommendation 9)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools. (Recommendation 10)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 11)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should configure its CDM tools to compare configuration settings against federal core benchmarks applicable to its environment. (Recommendation 12)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 13)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 14)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should configure its CDM tools to compare configuration settings against agency-specific benchmarks applicable to its environment. (Recommendation 15)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support assesses and addresses the causes of data errors and inconsistent entries in MISLE as identified by program offices and MISLE users, including reviewing MISLE training and data validation processes. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support uses the results of its 2019 Standardization Team assessment of command centers to develop a plan for improving the consistency and accuracy of MISLE data identified in its report. (Recommendation 2)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support and the Deputy Commandant for Operations use the processes outlined in the SELC to identify needed enhancements across the MISLE system by developing an updated mission needs statement. (Recommendation 3)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support and the Deputy Commandant for Operations use the processes outlined in the SELC to identify and analyze alternatives, and objectively select the preferred solution for MISLE to meet approved mission needs. (Recommendation 4)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should take steps to ensure that CMS, FBI, IRS, and SSA coordinate, where feasible, on assessments of state agencies' cybersecurity, which may include steps such as leveraging other agencies' security assessments or conducting assessments jointly. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, in collaboration with OMB, solicit input from FBI, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document CMS's rationale for maintaining any requirements variances.(Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 4)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should, in collaboration with OMB, solicit input from CMS, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 5)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 6)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 7)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The IRS Commissioner should, in collaboration with OMB, solicit input from CMS, FBI, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The IRS Commissioner should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should, in collaboration with OMB, solicit input from CMS, FBI, IRS, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document the SSA's rationale for maintaining any requirements variances. (Recommendation 10)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 11)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 12)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense did not concur with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense partially concurred with this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment, in consultation with the F-35 Program Executive Officer, develops a program-wide process for measuring, collecting, and tracking information on how ALIS is affecting the performance of the F-35 fleet to include, but not be limited to, its effects on mission capability rates. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment, in consultation with the F-35 Program Executive Officer, develops and implements a strategy for the re-design of ALIS. The strategy should be detailed enough to clearly identify and assess the goals, key risks or uncertainties, and costs of re-designing the system. (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the U.S. Marshals Service should take steps to ensure that supervisory review of division and district investigations is documented in accordance with USMS policy. (Recommendation 1)

Agency: Department of Justice: United States Marshals Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ATF should develop policy for verifying the accuracy and completeness of information in ATF employee misconduct systems. (Recommendation 2)

Agency: Department of Justice: Bureau of Alcohol, Tobacco, Firearms and Explosives
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the U.S. Marshals Service should develop policy for verifying the accuracy and completeness of information in USMS employee misconduct systems. (Recommendation 3)

Agency: Department of Justice: United States Marshals Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ATF should develop a performance measure to monitor the timeliness of misconduct investigations, according to policy requirements. (Recommendation 4)

Agency: Department of Justice: Bureau of Alcohol, Tobacco, Firearms and Explosives
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the U.S. Marshals Service should develop a performance measure to monitor the timeliness of district and division misconduct investigations, according to policy requirements. (Recommendation 5)

Agency: Department of Justice: United States Marshals Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ATF should modify existing oversight mechanisms to include the monitoring of key internal controls related to employee misconduct investigations. (Recommendation 6)

Agency: Department of Justice: Bureau of Alcohol, Tobacco, Firearms and Explosives
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the U.S. Marshals Service should modify existing oversight mechanisms to fully monitor key internal controls related to employee misconduct investigations. (Recommendation 7)

Agency: Department of Justice: United States Marshals Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the NMB should document NMB's authorizations for its use of cloud services approved through FedRAMP and submit the authorizations to the FedRAMP Program Management Office. (Recommendation 1)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and said it would take action to address it, completing these actions by the end of fiscal year 2020.

Recommendation: The Chairman of the NMB should update NMB's security policies and procedures to include FedRAMP's authorization requirements. (Recommendation 2)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and said it would take action to address it, completing these actions by the end of fiscal year 2020.

Recommendation: The Chairman of the NMB should develop a written plan to document NMB's process for reviewing and monitoring the agency's annual appropriation to ensure that funds are used effectively. (Recommendation 3)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. Agency officials said they would take action to address it, but did not provide a time frame for completion.

Recommendation: The Chairman of the NMB should establish a process for the Board to effectively monitor and evaluate NMB's adherence to audit protocols and implementation of actions to address audit recommendations. (Recommendation 4)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. Agency officials said they would take action to address it, but did not provide a time frame for completion.

Recommendation: The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was in the process of revising its IT systems project planning to ensure the development and implementation of policies and procedure incorporating key cybersecurity activities. The agency also stated that it plans to hire an IT Security Project Manager in order to acquire the necessary cybersecurity expertise needed to implement this recommendation and to ensure that sufficient time and resources can be dedicated to the development and implementation of these policies and procedures. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing oversight procedures for each externally-operated system. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it had expanded the office's IT Director's role to formally include the functions of an IT Risk Executive and was in the process of establishing the roles and responsibilities. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing a cybersecurity risk management strategy. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that, once the position of IT Security Project Manager is filled and the IT Risk Executive functions are formalized, the agency is planning to commit to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. We will continue to monitor OCWR's progress in addressing this recommendation

Recommendation: The Commandant of the Coast Guard should direct the Assistant Commandant for Engineering and Logistics and Assistant Commandant for Prevention Policy to update the Coast Guard's ATON-related initiatives to include the specific outcomes to be achieved and associated time frames. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: DHS concurred with our recommendation and stated that the Coast Guard plans to review and update ATON-related initiatives to include specific outcomes with associated implementation milestones by December 31, 2020.

Recommendation: The Secretary of Homeland Security should develop a strategy to independently validate selected agencies' self-reported actions on meeting binding operational directive requirements, where feasible, using a risk-based approach. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: DHS has drafted a preliminary strategy to independently validate agencies' actions, using a risk-based approach. However, this strategy has not yet been finalized and needs to more clearly align to the existing directive development process, to which it serves as an addendum. The strategy should include when and how primary and secondary sources of information for independent validation are selected within the directive development process.

Recommendation: The Secretary of Homeland Security should develop a schedule and plan for completing the high value asset program reassessment and addressing the outstanding issues on completing the required high value asset assessments, identifying needed resources, and finalizing guidance for Tier 2 and 3 HVA systems. (Recommendation 4)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The DEA Administrator should develop and implement additional ways to use algorithms in analyzing ARCOS and other data to more proactively identify problematic drug transaction patterns. (Recommendation 1)

Agency: Department of Justice: Drug Enforcement Administration
Status: Open
Priority recommendation

Comments: DOJ agreed with this recommendation and DEA stated it will continue to examine a variety of technologies to analyze ARCOS and other data and implement additional ways to use algorithms to more proactively identify problematic drug transaction patterns.

Recommendation: The DEA Administrator, in coordination with the department-wide efforts on data strategy, should establish and document a data governance structure to ensure DEA is maximizing its management of industry-reported drug transaction data. (Recommendation 2)

Agency: Department of Justice: Drug Enforcement Administration
Status: Open
Priority recommendation

Comments: DOJ agreed with this recommendation. As of September 2019, DEA officials stated that its Office of Information Systems' Chief Data Officer just recently started to work with DOJ and other components to develop a data strategy in response to the recently released department wide strategy, and has begun efforts to develop a governance structure. In November, 2019 DEA indicated it will continue to mature its data governance structure. The intent of this recommendation is for DEA to establish a formalized data governance structure to manage its collection and use of data used to support the Diversion Control Division's mission.

Recommendation: The DEA Administrator should establish outcome-oriented goals and associated measurable performance targets related to opioid diversion activities, using data it collects, to assess how the data it obtains and uses supports its diversion control activities. (Recommendation 3)

Agency: Department of Justice: Drug Enforcement Administration
Status: Open
Priority recommendation

Comments: DOJ neither agreed nor disagreed with this recommendation but DEA stated in November 2019, that it recognizes that measurable performance targets related to opioid diversion activities can serve as leading practices at different organizational levels including the program, project, or activity level. Our recommendation is intended to ensure that DEA can demonstrate the usefulness of the data it collects and uses to support its opioid diversion control activities.

Recommendation: The DEA Administrator, in consultation with industry stakeholders, should identify solutions to address the limitations of the ARCOS Enhanced Lookup Buyer Statistic Tool, to ensure registrants have the most useful information possible to assist them in identifying and reporting suspicious orders to DEA. (Recommendation 4)

Agency: Department of Justice: Drug Enforcement Administration
Status: Open
Priority recommendation

Comments: DOJ agreed with this recommendation and in November 2019, stated it has consulted with industry stakeholders and identified solutions to address the limitations of the tool.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment develop and implement a plan to guide and coordinate efforts to implement the Wideband AOA recommendations to support timely, informed decisions on its next wideband satellite communications architecture. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: DOD concurred with our recommendation, but as of July 2020 is still working to implement its corrective action plan.

Recommendation: The Director of OMB should establish a process for monitoring and holding agencies accountable for authorizing cloud services through FedRAMP. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open
Priority recommendation

Comments: OMB neither agreed nor disagreed with this recommendation and as of September 2020, the office has not provided information on its actions to implement our recommendation. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies' compliance with using the program. According to an OMB Associate General Counsel, the agency does not have a mechanism for enforcing agencies' compliance with its guidance on FedRAMP. However, we believe that OMB can and should hold agencies accountable for complying with its policies. By implementing this recommendation, OMB could substantially improve participation in the FedRAMP program, which is intended to standardize security requirements for federal agencies' authorizations of cloud services. We will update the status of this recommendation when OMB provides information on its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. (Recommendation 2)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to improve the program's continuous monitoring process by allowing more automated capabilities, including for agencies to review documentation. (Recommendation 3)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update security plans for selected systems to include the description of security controls and reviews and approvals plan. (Recommendation 4)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 5)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the list of corrective actions for selected systems to identify the responsible office and estimated funding required and anticipated source of funding. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should develop guidance requiring that cloud service authorization letters be provided to the FedRAMP program management office. (Recommendation 7)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security plan for the selected system to identify the authorization boundary, the system operational environment and connections, a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 8)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 9)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the list of corrective actions for the selected system to identify the specific weaknesses, funding source, changes to milestones and completion dates, identified source of weaknesses, and status of corrective actions. (Recommendation 10)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status once CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the system security plans for selected systems to identify a description of security controls. (Recommendation 11)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the security assessment report for selected system to identify the summarized results of control effectiveness tests. (Recommendation 12)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update and document the CMS remedial action plan for the selected system to identify the anticipated source of funding. (Recommendation 13)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to prepare letters authorizing the use of cloud services for the selected systems and submit the letters to the FedRAMP program management office. (Recommendation 14)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update security plans for selected systems to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. (Recommendation 15)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the security assessment report for selected systems to identify summarized results of control effectiveness tests. (Recommendation 16)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the NIH list of corrective actions for selected systems to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. (Recommendation 17)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to submit the division's letters authorizing the use of cloud services for the selected systems to the FedRAMP program management office. (Recommendation 18)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Administrator of EPA should update security plan for the selected operational system to identify a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the list of corrective actions for the selected operational system to identify the specific weakness, estimated funding and anticipated source of funding, key remediation milestones with completion dates, changes to milestones and completion dates, and source of the weaknesses. (Recommendation 21)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking action to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should prepare the letter authorizing the use of cloud service for the selected operational system and submit the letter to the FedRAMP program management office. (Recommendation 22)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should develop guidance requiring that cloud service authorization letter be provided to the FedRAMP program management office. (Recommendation 23)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any additional evidence. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The SBA Administrator should assign and document clear roles, responsibilities, and reporting lines for headquarters offices' implementation of SBA's plan for addressing the White House Initiative on HBCUs in a timely manner. (Recommendation 1)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Associate Administrator of the Office of Entrepreneurial Development should take and document steps to ensure that the office's reporting mechanisms collect the information needed to establish a baseline for, and also inform future monitoring and assessment of, efforts to support HBCUs. (Recommendation 3)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Associate Administrators of the Office of Entrepreneurial Development and Office of Field Operations should communicate planned efforts to support HBCUs, including expectations, goals, and related measures, to the district offices and Small Business Development Centers with HBCUs in their service areas. (Recommendation 2)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the VA should direct the Under Secretary for Health to collect complete staffing data for the Family Caregiver Program that includes Caregiver Support Program Office funded staff, VAMC funded staff, and staff that assist the program as a collateral duty at each VAMC. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation. The Veterans Health Administration (VHA) has reported that the Caregiver Support Program Office had identified a solution for identifying VHA Family Caregiver Program staff in the Human Resource (HR) Smart system. VHA reported that current full- and part-time employees funded by the Caregiver Support Program Office will be identified with a specific specialty code in HR Smart. However, as of April 2020, this capability was not yet available in HR Smart and staffing for the program continued to be manually updated and tracked. Further, the proposed use of HR Smart will still not result in complete information that the Caregiver Support Program Office can use to track all staff who support the program because according to VHA, staff that assist the program as a collateral duty and VAMC-funded staff who support the program will not be tracked through HR Smart. As of July 2020, this recommendation remains open pending further updates from VHA.

Recommendation: The Secretary of the VA should direct the Under Secretary for Health to establish a process to ensure that the Family Caregiver Program staffing data that are collected and reported to the Caregiver Support Program Office are accurate. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: VHA concurred with this recommendation. In February 2020, the Veterans Health Administration (VHA) reported that the Caregiver Support Program Office had identified a solution for identifying full-time VHA Family Caregiver Program staff in the Human Resource (HR) Smart system through the use of a specific specialty code. VHA reported that once implemented, the use of the HR SMART specialty code would provide more accurate information regarding staffing. In April 2020, VHA stated that were would also be a static field called "position skill type" that would track positions with a skill type category of caregiver and that Veterans Integrated Service Network (VISN) leads for the Family Caregiver Program would use this field to cross check the new specialty code and identify and correct any reporting inconsistencies. As of July 2020, this recommendation remains open pending further updates from VHA.

Recommendation: The Secretary of Defense should ensure the department implements the pilot program by releasing at least 20 percent of newly custom-developed code as open source software (OSS). (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter provided to GAO, the 20 percent software release target is unlikely achievable due to the nature of code that is custom developed by the department. However, the department is mandated by law to implement the open source software pilot program established by the Office of Management and Budget's memorandum M-16-21. Releasing at least 20 percent of newly custom-developed code is a requirement of this program. GAO will continue to follow-up on the status of the pilot program.

Recommendation: The Secretary of Defense should ensure the department identifies a measure to calculate the percentage of code released to gauge its progress on implementing the pilot program. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially agreed with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter sent to GAO, the department intends to release updated guidance on the release of custom-developed code as open-source software and will include metrics. The department estimated that the updated policy will be completed in the 3rd quarter of fiscal year 2020. GAO will follow-up with the agency to obtain the status of the updated guidance.

Recommendation: The Secretary of State should ensure that the Director of State's Office of U.S. Foreign Assistance Resources conducts a review of the Section 653(a) process to identify process steps that can be streamlined or eliminated and determine the time frame needed to prepare the annual Section 653(a) report. If State determines that the time frame exceeds 30 days, the office should coordinate with other appropriate officials to submit a legislative proposal to Congress to extend the mandated time frame for submitting Section 653(a) reports. (Recommendation 1)

Agency: Department of State
Status: Open
Priority recommendation

Comments: State indicated in their letter commenting on GAO-19-600 that they concurred with this recommendation. In their comments, State said they would determine a reasonable time frame for completing the report and will coordinate with appropriate officials regarding a potential legislative proposal to Congress.

Recommendation: The Secretary of State should ensure that the Director of State's Office of U.S. Foreign Assistance Resources improves the data collection from the many sources contributing to the Section 653(a) reports, such as by enhancing their data information systems. (Recommendation 2)

Agency: Department of State
Status: Open

Comments: State indicated in their letter commenting on GAO-19-600 that they concurred with this recommendation. In their comments, State said they are taking steps to modify their Foreign Assistance Coordination and Tracking System database to improve the collection of relevant data.

Recommendation: The Secretary of State should develop a plan to address vacancies within State's Office of U.S. Foreign Assistance Resources, consulting with the USAID Administrator as appropriate. (Recommendation 3)

Agency: Department of State
Status: Open

Comments: State indicated in their letter commenting on GAO-19-600 that they concurred with this recommendation. In their comments, State said they are developing a plan in coordination with USAID to fill existing vacancies, and are recruiting State and USAID employees to serve on details to fill existing staffing gaps.

Recommendation: The Director of OMB should expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: In January 2020, OMB officials stated that they have incorporated agency feedback for enhancing the CyberStat program into an updated concept of operations document that is currently in draft. To consider this recommendation fully implemented, OMB needs to provide us with an updated concept of operations document for the CyberStat program, and demonstrate the expansion of CyberStat review meetings to agencies that require additional assistance due to persistent information security deficiencies. As of September 2020, OMB has not provided sufficient evidence to close this recommendation.

Recommendation: The Director of OMB should collaborate with CIGIE to ensure that the inspector general reporting metrics include the FISMA-required information security program element for system security plans. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of September 2020, we were still waiting to receive OMB's 180-day letter detailing the actions it plans to take to address the recommendation.

Recommendation: The Secretary of VA should direct the Under Secretary for Health and the Assistant Secretary for Information and Technology/Chief Information Officer to develop and implement a methodology for reliably identifying and reporting the total costs of VistA. The methodology should include steps to identify the definition of VistA and what is to be included in its sustainment activities, as well as ensure that comprehensive costs are corroborated by reliable data. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) generally agreed with our conclusions and concurred with our recommendation. In a January 2020 update, the department described steps it planned to take to address the recommendation including establishing a team of experts to formulate a comprehensive taxonomy for VistA and all of its components, identifying authoritative and reliable data sources to assign costs to those components, and developing a methodology for ongoing cost tracking and reporting. The department expects these steps to be implemented by September 30, 2020. We will continue to monitor the department's progress to address this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: As of May 2020, the Bureau's program risk registers included a clear indication of the status of mitigation plans; however, the Bureau's portfolio risk register did not, without which there was not a clear indication of which portfolio risk mitigation plans had been approved by management. As of August 2020, the Bureau's portfolio risk register also included a clear indication of mitigation plan status. At that time, we reviewed the Bureau's program and portfolio risk registers to determine whether the Bureau had developed and obtained management approval of mitigation and contingency plans for all risks that required them. We found six risks that met the Bureau's requirements for a contingency plan but did not have an approved contingency plan in place. We notified the Bureau and asked them to ensure that approved mitigation and contingency plans were in place for all risks that required them. We will continue to monitor the Bureau's actions to implement this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In July 2020, the Bureau updated its decennial risk management plan and, in doing so, implemented this recommendation for six of the seven key attributes we identified. The missing attribute was monitoring plans: a description in each mitigation and contingency plan of how the agency will monitor the risk response-with performance measures and milestones, where appropriate-to help track whether the plan is working as intended. According to Bureau officials, rather than requiring this attribute, they instead noted it as a lesson learned for the 2030 Census and documented it in their knowledge management tool. In August 2020, we requested documentation of these actions. Once received, we will assess whether these actions suffice to close the recommendation.

Recommendation: The FEMA Administrator should ensure that the GMM program management office finalizes the organizational change management plan and time frames for implementing change management actions. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office updates the program schedule to address the leading practices for a reliable schedule identified in this report. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA Office of the Chief Information Officer (OCIO) defines sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA OCIO approves a security assessment plan before security assessment reviews are conducted. (Recommendation 6)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office follows DHS guidance on preparing corrective action plans for all security vulnerabilities. (Recommendation 7)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office fully tests all of its security controls for the system. (Recommendation 8)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The Director of the Office of Management and Budget should require agencies to explicitly report, at least on a quarterly basis, the savings and cost avoidance associated with cloud computing investments. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of May 2020, the Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the CIO of Agriculture establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (Agriculture) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, Agriculture officials reported in April 2020 that the department had established an office to assist with cloud migration efforts and instituted a process that requires cloud migration efforts to submit cost data and report cloud savings in accordance with OMB guidance. Officials noted that the department would implement a mechanism within one year once OMB issues guidance related to tracking savings (OMB has not yet implemented guidance in this area). We will continue to monitor Agriculture's progress on these efforts.

Recommendation: The Secretary of Commerce should ensure that the CIO of Commerce establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. In October 2019, Commerce officials noted that the department would update its current procedures related to tracking savings and cost avoidances within one year once OMB issues guidance related to tracking cloud savings (OMB has not yet implemented guidance in this area). As of May 2020, the procedures have not yet been updated. We will continue to monitor Commerce's progress with these efforts.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (Defense) concurred with our recommendation and stated that the department planned to publish guidance in this area. Specifically, in April 2020, Defense officials reported that the department planned to publish guidance by July 2020 that required all department components to rationalize business and IT applications in alignment with the department's enterprise-wide process for conducting software application rationalization and the department's Cloud Strategy. We will continue to monitor Defense's progress on this effort.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: As of May 2020, the Department of Defense (Defense) has not yet taken any actions to implement our recommendation. We will continue to monitor Defense's progress in implementing this recommendation.

Recommendation: The Secretary of Education should ensure that the CIO of Education completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 8)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would complete an assessment of all IT investments for cloud services. In February 2020, Education officials reported that the department had taken action to update its guidance to include a requirement for assessing new and existing investments for cloud services. However, as of May 2020, based on our review of IT Dashboard data, Education has not yet completed an assessment of 23 investments for these services. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Education should ensure that the CIO of Education establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 9)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would take action to address it. In May 2020, Education officials reported that the department had taken steps to identify a number of cloud investments with cost savings and avoidance data as a part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess new acquisitions for these services. (Recommendation 10)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language that addressed our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 11)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language on assessing investments for cloud services. In addition, as of May 2020, based on our review of data on the IT Dashboard, Energy has not yet completed an assessment of 107 investments for these services. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 12)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the CIO would establish a mechanism to address our recommendation. In February 2020, Energy officials reported that they had identified a number of cloud investments with cost savings as part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should ensure that the CIO of HHS establishes guidance on assessing new and existing IT investments for suitability for cloud computing services, in accordance with OMB guidance. (Recommendation 13)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the Office of the CIO would revise its guidance by September 30, 2019 to address it. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 14)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would complete an assessment of all IT investments as part of its portfolio review for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 15)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would take action to track savings as part of its portfolio review process for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of the Department of Homeland Security (DHS) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was in the process of accessing its remaining systems to determine whether a cloud computing assessment should be completed but did not provide a date when this effort would be finished. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of DHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 17)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was working on a plan to define the resources and processes needed to implement a mechanism to track savings that would be completed by October 2020. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 18)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation, and stated that it would require components to assess all investments for cloud. However as of April 2020, based on our review of IT Dashboard data, Justice had not yet completed cloud assessments for 80 investments. We will continue to monitor Justice's progress with this effort.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 19)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation and stated that it would take action to address it. In December 2019, Justice officials reported that the department had taken steps to identify cloud investments and related savings data as part of an integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Justice's progress in implementing this recommendation.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 20)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department was taking steps to integrate a process for assessing investments for cloud computing suitability into its budgeting process. Specifically, in February 2020, Labor officials reported that the department was updating its policy to reflect a Cloud First policy that will ensure that all department investment migrations to cloud services are Cloud smart but did not identify a time frame when the policy would be finalized. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 21)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department planned to undertake a full review of data center-based applications for cloud suitability. Specifically, in February 2020, Labor officials reported that the department had created an Engineering Review Board in October 2019 to review proposed IT investments to ensure compliance with the department's cloud architecture, but did not provide a time frame for when all assessments of investments would be completed. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 22)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, in February 2020, Labor officials reported that the department was implementing a tool called Cloudchekr for tracking costs associated with cloud services that would also track related savings and cost avoidances, but no timeframe was provided for when the tool would consistently capture all savings from these efforts. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of State should ensure that the CIO of State establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 23)

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with our recommendation and stated that the department would develop a prototype tracking system ready for testing by the beginning of fiscal year 2020. As of May 2020, we have not received a more recent update from State regarding its implementation of our recommendation. We will continue to monitor State's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 24)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 25)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes guidance on assessing new and existing IT investments for suitability for cloud computing services. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 28)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation, but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of the Department of Veterans Affairs (VA) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 29)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun an assessment process and expected to complete this effort by June 30, 2024. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of VA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 30)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun populating a financial management application with data to track overall IT spending and cost savings, but did not provide a timeframe for when a mechanism to track this data would be finalized. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should ensure that the CIO of the General Services Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 31)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) concurred with our recommendation and stated that the agency planned to develop a process for collecting cost savings data. Specifically, in January 2020, GSA officials reported that the agency intended to develop and document a process for collecting cost and savings data for current and new investments using cloud services. Officials noted that the documentation would provide guidance as to what savings data would be required to be collected, how frequent the data would be reported, and the process for approval, but did not provide a timeframe for when the guidance would be finalized. In addition, officials reported that, once the new process was finalized, the agency would pilot the new process in order to test the approach and the collection of data. As of May 2020, the process has not been finalized. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the CIO of the Small Business Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 32)

Agency: Small Business Administration
Status: Open

Comments: The Small Business Administration (SBA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SBA officials reported that the agency had established a tool for monitoring the costs associated with the migration and deployment of cloud services. However, the documentation SBA provided did not indicate how cloud savings and cost avoidances would be isolated and reported. We will continue to monitor SBA's progress toward implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of the Social Security Administration (SSA) updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 33)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials provided a copy of the agency's updated guidance but the guidance did not include language that addressed our recommendation. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency had completed an assessment of all investments for cloud services. However, our review of the agency's IT Dashboard data in November found that 24 investments remained to be reviewed. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency was working toward implementing a tool that would track cloud savings and avoidances but did not provide a timeframe for when the tool would be finalized. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: Congress should consider taking legislative action to resolve the long-standing issues between the Corps and the Advisory Council on Historic Preservation over the Corps Regulatory Program's procedures for implementing section 106 of the National Historic Preservation Act. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: When we determine what steps the Congress has taken, we will provide updated information

Recommendation: The Secretary of Energy should develop a documented policy or clarify existing policy to implement the statutory requirement to consult with Alaska Native Corporations (ANC) on the same basis as Indian tribes under Executive Order 13175. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: As of April 2020, the Department of Energy plans to clarify and consolidate its consultation policies and practices for consultation with Alaska Native Corporations by June 2021.

Recommendation: The Administrator of the Environmental Protection Agency should develop a documented policy or clarify existing policy to implement the statutory requirement to consult with ANCs on the same basis as Indian tribes under Executive Order 13175. (Recommendation 2)

Agency: Environmental Protection Agency
Status: Open

Comments: In December 2019, EPA created a draft document, Guiding Principles for Consulting with Alaska Native Claims Settlement Act Corporations, and issued it for consultation with Alaska Native Corporations (ANCs). The draft guiding principles seek to clarify EPA's consultation and coordination practices with ANCs. Additionally, according to agency officials, an EPA working group is in the process of developing an internal, best practices implementation guide. As of April 2020, EPA expects to finalize these guidance documents in 2020

Recommendation: The Secretary of Housing and Urban Development should develop a documented policy or clarify existing policy to implement the statutory requirement to consult with ANCs on the same basis as Indian tribes under Executive Order 13175. (Recommendation 3)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should establish a time frame for developing or updating policy to implement the statutory requirement to consult with ANCs on the same basis as Indian tribes under Executive Order 13175. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: In February 2019, the Department of Homeland Security provided GAO documentation supporting a planned time frame of March 2020 for developing and updating its consultation policy to implement the statutory requirement to consult with ANCs in response to this recommendation. We plan to close the recommendation after reviewing documentation that the policy has been updated.

Recommendation: The Assistant to the Secretary of Agriculture for Rural Development should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on proposed infrastructure projects. (Recommendation 6)

Agency: Department of Agriculture: Rural Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of Civil Works of the Corps should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 7)

Agency: Department of Defense: Department of the Army: Corps of Engineers: Civil Works
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director for the Bureau of Ocean Energy Management should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 8)

Agency: Department of the Interior: Bureau of Ocean Energy Management
Status: Open

Comments: As of September 2019, Bureau of Ocean Energy Management (BOEM) plans to amend its tribal consultation policy with policies and procedures for communicating with tribes after consultation by December 2020.

Recommendation: The Secretary of Energy should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 10)

Agency: Department of Energy
Status: Open

Comments: As of April 2020, the Department of Energy indicated that it plans to document policies for communicating about how input from tribal consultation was considered in agency decisions on infrastructure projects by June 2021.

Recommendation: The Administrator of the Federal Highway Administration should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 14)

Agency: Department of Transportation: Federal Highway Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 17)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 19)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Transportation should document in the agency's tribal consultation policy how agency officials are to communicate with tribes about how tribal input from consultation was considered in agency decisions on infrastructure projects. (Recommendation 20)

Agency: Department of Transportation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should determine a government-wide baseline level of progress in meeting physical access control system requirements, including implementation of GSA-approved systems, and should monitor progress in meeting these requirements. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In August 2019, GAO contacted OMB to determine if any progress has been made implementing this recommendation. GAO is awaiting OMB's response.

Recommendation: The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, GAO learned that DHS has recently completed the "Physical Access Control System (PACS) Modernization Working Group Charter." This charter was created under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council, Identity, Credentialing and Access Management Subcommittee, and the Program Director of the DHS Interagency Security Committee. The purpose of the PACS Modernization Working Group is to facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS within the federal government, thereby increasing security, coordination, and compliance with national-level policies and standards. GAO is following up with DHS to obtain additional information about this effort and to determine whether it addresses this recommendation.

Recommendation: The Secretary of DHS should direct the appropriate staff to work with OMB to follow up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS provided evidence in December 2019 but it was insufficient to close this recommendation. We will continue to follow-up with DHS.

Recommendation: The Director of OMB should submit the intrusion assessment plan to the appropriate congressional committees. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should report on implementation of the defense-in-depth strategy described in the intrusion assessment plan, including all elements described in the plan. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should update the analysis of agencies' intrusion detection and prevention capabilities to include the degree to which agencies are using NCPS. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to update her report to Congress to include required information, such as detecting advanced persistent threats, a comparison of the costs and benefits of the capabilities versus commercial technologies and tools, and the capability of agencies to protect sensitive cyber threat indicators and defense measures. (Recommendation 6)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to work with DHS to follow-up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 9)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: In November 2018, and in response to our draft report, DOD stated that it would analyze the Federal Procurement Data System- Next Generation data in an effort to identify why the miscoding of orders under multiple award contracts occurs, and use this information to advise the contracting community of actions to improve the reliability of the competition data. In July 2019, DOD officials stated they did not have an update regarding planned actions to address the recommendation. As of September 2020, DOD officials did not respond to our multiple requests for updates to this recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Associate Deputy Assistant Secretary for Acquisition to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open

Comments: In February 2019, HHS stated it was performing analysis and research to understand the reasons for the miscoding of orders. Once this analysis and research is completed, HHS reported it plans to work to address the root causes of the previously identified miscodings, so as to prevent future errors. In July 2019, HHS officials stated they did not have an update regarding planned actions to address the recommendation. As of September 2020, HHS officials did not respond to our multiple requests for updates to this recommendation.

Recommendation: The Secretary of Education should enroll loan servicers in FSA's continuous monitoring program and, in the interim, require these entities to report the results of security controls testing at an FSA-defined frequency. (Recommendation 1)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and the agency stated that loan servicers are scheduled to be enrolled in its ongoing security authorization program beginning in fiscal year 2019. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should enroll private collection agencies in FSA's continuous monitoring program, and, in the interim, require these entities to test all controls at an FSA-defined frequency and regularly report the results. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: FSA stated that it concurred with this recommendation, but the actions it said it planned to take would not fully address it. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should modify FSA's agreements with guaranty agencies to specify a required baseline of security controls based on the impact level of the information shared with these agencies, as determined by FSA. (Recommendation 3)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and described planned actions to address it. In November 2019, FSA officials told us that this recommendation has a pending date of 5/31/2020 for completion When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should establish a process for continuous monitoring of guaranty agencies' implementation of security and privacy requirements between on-site assessments, to include testing all controls at an FSA-defined frequency and regularly reporting results. (Recommendation 4)

Agency: Department of Education
Status: Open

Comments: FSA partially concurred with this recommendation and described actions it planned to take in response. However, we believe the entire recommendation is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should include specific security and privacy requirements in agreements with the Federal Family Education Loan (FFEL) Program lenders based on FSA's categorization of the information shared with the lenders. (Recommendation 5)

Agency: Department of Education
Status: Open

Comments: FSA stated that it partially agreed with this recommendation; however, if effectively implemented, the planned actions it described would address this recommendation. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should develop policies and procedures to gain assurance that FFEL lenders have appropriate security and privacy controls in place and that these controls are being regularly tested and monitored. (Recommendation 6)

Agency: Department of Education
Status: Open

Comments: FSA did not concur with this recommendation. However, we believe it is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by documenting access authorizations for non-unique accounts. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by reviewing non-unique accounts at least annually, per IRS's policy. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Department of Veterans Affairs (VA) Inspector General should revise its policy to include a requirement to verify whether evidence produced in senior-official case referrals demonstrates that the six elements required in VA Directive 0701 have been addressed. (Recommendation 6)

Agency: Department of Veterans Affairs
Status: Open

Comments: The VA Office of the Inspector General updated VA Directive 0701 to require a written or electronic signature from the person preparing the response that the specific requirements of the directive were met. The updated version of the directive was submitted to the Department, the concurrence was signed on November 16, 2018. As of January 2019, the VA OIG was working with the VA to finalize and publish the directive. On February 15, 2019, the VA OIG contacted GAO with revised language for VA Directive 0701. The language clarified the requirement to include a signature and attestation by the person preparing the response. As of June 2020, the VA OIG is in the process of working with the VA administration to finalize and publish the directive. In September 2020, GAO requested an update from the VA OIG on the status of publishing the directive.

Recommendation: The Secretary of Commerce should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, identify strategies for mitigating any gaps identified, and report this information to Congress. (Recommendation 1)

Agency: Department of Commerce
Status: Open

Comments: Department of Commerce (Commerce) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, and to identify strategies for mitigating any gaps identified. As of August 2020, Commerce had not provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: The Secretary of Energy should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: Department of Energy (DOE) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams using the National Initiative for Cybersecurity Education (NICE) certification mapping that is due for release in November 2018. DOE officials plan to develop criteria to identify personnel who are prepared to take certification exams and will perform a department-wide evaluation, after which they plan to report to Congress by a target date of September 30, 2019. As of August 2020, DOE had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.

Recommendation: The Secretary of the Interior should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 11)

Agency: Department of the Interior
Status: Open

Comments: Department of the Interior (Interior) concurred with our recommendation. Officials from the department stated they were developing a plan to assess the workforce's preparedness to complete and maintain certifications. Interior officials stated that they were planning to leverage its learning and performance management system for assessing the level of preparedness of cybersecurity personnel to take certification exams and planned to report to Congress by March 2021. As of August 2020, HUD had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.

Recommendation: The Administrator of the National Aeronautics and Space Administration should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 16)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: National Aeronautics and Space Administration (NASA) did not concur with our recommendation and has not yet provided evidence that it has implemented the recommendation as of August 2020. We will continue to monitor the situation.

Recommendation: The Administrator of the Small Business Administration should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. As of August 2020, SBA had not provided evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: The Administrator of the Small Business Administration should submit a report of its baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 26)

Agency: Small Business Administration
Status: Open

Comments: Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. As of August 2020, SBA had not provided evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to update the policy or guidance for MAIS business programs. Specifically, the update should include the following elements: (1) establishment of initial and current baseline cost and schedule estimates, (2) predetermined threshold cost and schedule estimates to identify the point when programs may be at high risk, and (3) quarterly and annual reports on the performance of programs to stakeholders. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: In January 2020, the Under Secretary of Defense for Acquisition and Sustainment issued an updated instruction on defense business systems requirements and acquisition, which included guidance on establishing baseline cost and schedule estimates and considering progress against the baselines at key decision points. However, the instruction does not make a distinction between initial and current baselines. Further, it did not include thresholds for cost and schedule variances or specify periodic reporting of program performance information to stakeholders. According to an official in the office of the Under Secretary of Defense for Acquisition and Sustainment, the office does not intend to add the elements of the recommendation related to thresholds and reporting. Specifically, according to the official, the office considers specifying predetermined threshold cost and schedule estimates and frequency for status reporting to be matters for implementation guidance issued by department components or determined by a program decision authority. However, until the department demonstrates that it has fully addressed the recommendation, it is limited in its ability to ensure that effective system acquisition management controls are implemented for each major business system investment and that stakeholders have the information needed to make informed decisions for managing and overseeing these investments. We will continue to monitor the department's implementation of the recommendation.

Recommendation: The Secretary of Defense should direct the Director of the Defense Health Agency to direct the program manager for the Defense Healthcare Management System Modernization program to: (1) finalize and approve its requirements management plan, (2) identify and document changes that should be made to plans and work products resulting from changes to the requirements baseline, and (3) quantify costs and benefits of risk mitigation within its program-level risk mitigation plans. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: As of November 2019, the Department of Defense had made progress addressing the intent of the recommendation related to requirements management; however, it needs to do more to improve DHMSM program risk management. Specifically, in March 2019, the DHMSM program manager approved a requirements management plan, which includes identifying and documenting changes that should be made to plans and work products resulting from changes to the baseline requirements. Specifically, it includes forward and backward configuration and change management of the baselined requirements and managing traceability of requirements to design artifacts, test cases, defects, and change requests. However, the program has not demonstrated that it quantifies costs and benefits of risk mitigation in its risk mitigation plans. Specifically, it did not demonstrate that it had updated its guidance to require that costs and benefits of risk mitigation plans be included in these plans. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: The Director of the Defense Security Service should determine how it will collaborate with stakeholders as it pilots a new approach to overseeing contractors with cleared facilities (DSS in Transition), including identifying roles and responsibilities and the related resources needed. (Recommendation 1)

Agency: Department of Defense: Defense Security Service
Status: Open

Comments: DOD agreed with this recommendation and as of February 2019, stated that it continues to pilot DSS in Transition at cleared facilities and use information gathered from stakeholders, including key government and industry stakeholder organizations to refine the process. On August 12, 2020, DOD stated that DSS was in the process of drafting a Corrective Action Plan. At that time, DOD officials explained that this plan would be completed in the fourth quarter of fiscal year 2019. As of September 2020, this plan has not been completed.

Recommendation: The Administrator of CMS, in partnership with the states, should take additional steps to expedite the use of T-MSIS data for program oversight. Such steps should include, but are not limited to, efforts to (1) obtain complete information from all states on unreported T-MSISdata elements and their plans to report applicable data elements; (2) identify and share information across states on known T-MSIS datalimitations to improve data comparability; and (3) implement mechanisms, such as the Learning Collaborative, by whichstates can collaborate on an ongoing basis to improve thecompleteness, comparability, and utility of T-MSIS data.(Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: HHS concurred with this recommendation. As of February 2020, CMS has taken steps to improve T-MSIS data quality, but further efforts are needed to expedite the data's use in oversight. With regard to obtaining complete information from all states, CMS released additional guidance in March 2019, on state compliance with T-MSIS requirements. This guidance includes the need to resolve data issues associated with 12 top priority items and missing data elements, both of which are key for using T-MSIS data. Further, CMS identified an additional 11 top priority items, noting it also expected states to resolve data issues with these items. CMS reports that it has helped resolve data issues related to these 23 top priority items by sending states summary data on compliance with associated reporting requirements. CMS has notified states of their compliance status and asked non-compliant states to submit corrective action plans. However, CMS reports that the level of states' T-MSIS data completeness varies and agency state liaisons and technical assistants continue to work individually with states to identify, prioritize, and resolve key missing data elements. With regard to identifying and sharing information, CMS has made some T-MSIS data available for use through five T-MSIS analytical files, which include data on Medicaid and CHIP enrollment, demographics, service utilization, and payments. Further, CMS has created resources to support researchers in their use of these analytical files, including information on the completeness and accuracy of certain data elements. With regard to implementing mechanisms for collaboration across states, additional CMS action is needed. In particular, CMS's efforts to create a mechanism for states to disseminate information about T-MSIS data and its comparability across states remain limited and the agency has not launched its proposed Learning Collaborative to facilitate ongoing feedback and collaboration. While progress has been made, additional actions, such as establishing mechanisms for ongoing feedback and collaboration across states, are needed to consider this recommendation implemented.

Recommendation: The Administrator of CMS should articulate a specific plan and associated time frames for using T-MSIS data for oversight. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: HHS concurred with this recommendation. As of February 2020, CMS has taken steps to articulate guidance to states, but has not outlined a specific plan and associated time frames for using T-MSIS data for oversight. Until CMS takes these actions, the recommendation remains open.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that state-based marketplace annual sustainability plans, to the extent possible, have complete 5-year budget forecasts. (Recommendation 1)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it had updated its requirement to request 2-year budget forecasts instead of 5-year budget forecasts. In its December 2017 statement of actions, HHS stated that it was working to streamline and simplify its data collection effort as part of the annual sustainability plan. In April 2018, HHS provided a revised 2-year budget forecast template as well as related state marketplace training documentation. As of April 2020, HHS had not provided further documented evidence of its streamlined process using the 2-year budget forecast template or justification that a 5-year budget is not necessary for assessing long-term financial sustainability and state marketplace sustainability risks.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that all state-based marketplaces provide required annual financial audit reports which are in accordance with generally accepted government auditing standards. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it continued to provide technical assistance such as webinars and other trainings on independent financial and programmatic audit submission requirements. In April 2018, HHS provided evidence that it had taken some steps to ensure that state-based marketplaces provide required annual financial audit reports, including draft financial audit procedures, documentation of related training provided to states, and a revised HHS state officer annual review checklist emphasizing financial audit reporting. However as of April 2020, the department had not provided evidence of finalized procedures, examples of checklist usage, or of states providing annual financial audit reports. Further, HHS training documentation stated that state-based marketplaces could provide alternate financial audit reports, such as a state-wide financial audit report, in lieu of a marketplace specific report. It is not clear from the provided evidence that the department has ensured that state-based marketplaces are in compliance with financial audit reporting requirements. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes further action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that marketplace IT self-sustainability risk assessments are based on fully defined measurable terms, a clear categorization process, and a defined response to high risks. (Recommendation 3)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it would refine its marketplace self-sustainability risk assessment process to provide greater insight into the state marketplace sustainability efforts and to identify areas where states may need assistance. In April 2018, HHS provided evidence that it had taken some steps to base its risk assessments on fully defined processes. CMS provided documentation of clearly defined and measurable terms used for state marketplace budget analysis. However, HHS did not provide evidence that these defined terms were incorporated into analyses or risk assessments. As of April 2020, CMS has not provided evidence that it took steps to develop a clear categorization process or a defined response to high risks. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that states develop, update, and follow performance measurement plans that allow the states to continuously identify and assess the most important IT metrics for their state marketplaces. (Recommendation 4)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that though each marketplace was accountable for managing and reporting its own IT metrics in accordance with federal and state law, HHS would work with states on the improvement of their management and operations through technical assistance and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to conduct operational analysis reviews and systematically monitor the performance of states' marketplace IT systems using key performance indicators. (Recommendation 5)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it conducted Open Enrollment Readiness Reviews to assess marketplace key performance indicators, which according to CMS officials, are similar to operational analysis reviews. However, as of October 2018, HHS had not provided evidence that the Open Enrollment Readiness Reviewed systematically and comprehensively reported on the key performance indicators or include discussion of other key elements identified in best practices for operational analysis reviews, such as how objectives could be better met, or costs could be saved. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that metrics collected from states to monitor marketplaces' operational performance link to performance goals and include baselines and targets to monitor progress. (Recommendation 6)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that states were responsible for monitoring their own performance measures but HHS would continue to review IT metrics of state marketplaces in the implementation phase of their systems through technical assistance activities and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially concurred with the recommendation. OPM has improved its POA&M management system. Using this system, the agency provided, on 08-27-19, milestones showing timely validation of evidence for closing one US-CERT recommendation. However, OPM has not provided support showing timely validation of 16 other US-CERT recommendations that it has closed. OPM needs to provide evidence of timely validation of these 16 completed recommendations, or evidence for the two US-CERT recommendations that remain open, once these two have been closed and validated. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with the recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop role-based training requirements for its continuous monitoring program, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to issue role-based training requirements for individuals who configure and maintain the deployed continuous diagnostics and mitigation tools. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, but the agency provided some evidence of its progress in implementing this recommendation. When IRS fully implements this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To determine whether CSA interventions influence motor carrier safety performance, the Secretary of Transportation should direct the FMCSA Administrator to identify and implement, as appropriate, methods to evaluate the effectiveness of individual intervention types or common intervention patterns to obtain more complete, appropriate, and accurate information on the effectiveness of interventions in improving motor carrier safety performance. In identifying and implementing appropriate methods, FMCSA should incorporate accepted practices for designing program effectiveness evaluations, including practices that would enable FMCSA to more confidently attribute changes in carriers' safety behavior to CSA interventions.

Agency: Department of Transportation
Status: Open

Comments: FMCSA has reviewed the methodology for its effectiveness model and identified many of the same limitations GAO discussed in its report. FMCSA also identified several approaches to address these limitations, including modifying its model to measure individual intervention types. However, as of July 2020, FMCSA had not implemented any of its proposed approaches.

Recommendation: To enable FMCSA management to monitor the agency's progress in achieving its effectiveness and efficiency outcomes for CSA interventions and balance priorities, the Secretary of Transportation should direct the FMCSA Administrator to establish and use performance measures to regularly monitor progress toward both FMCSA's effectiveness outcome and its efficiency outcome.

Agency: Department of Transportation
Status: Open

Comments: The Federal Motor Carrier Safety Administration (FMCSA) plans to establish an inventory of effectiveness and efficiency measures and monitor performance on an ongoing basis. FMCSA is working to modify its model to measure the effectiveness of individual intervention types. However, as of July 2020, it had not implemented any of its proposed modifications.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Commerce
Status: Open

Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. In November 2018 and November 2019 we followed-up with Commerce on the status of their efforts; however, as of January 2020, we had not received an update. We plan to continue to follow up with Commerce to monitor the status of these planned actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Energy
Status: Open

Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2020, which it expects will address the key practices. In December 2019, the department reported that it anticipates completing a refresh of its application inventory by the end of February 2020. We plan to monitor the department's efforts to implement the tools and to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Housing and Urban Development
Status: Open

Comments: We reported that the Department of Housing and Urban Development (HUD) partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that it is working to identify applications in field offices, and planned for this effort to be completed in fiscal year 2018. In addition, the department stated it planned to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department planned to conduct quarterly portfolio reviews starting in fiscal year 2018. In October 2018, HUD officials reported that CTO performed a technical assessment of HUD's IT assets, which resulted in identifying systems in the inventory that had been decommissioned and will be decommissioned. In addition, the department provided its strategy for performing the assessment. In August 2019, HUD reported that it completed an assessment of its legacy applications and the current inventory system is outdated. However, as of January 2020, HUD had not yet provided an updated inventory. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Social Security Administration
Status: Open

Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organizational components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations was in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems were continuing to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. In June 2019, SSA officials reported that they were continuing to make progress to update the inventory to include systems from all organizational components. However, as of January 2020, we had not received an updated inventory. We will continue to monitor SSA's efforts to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Labor
Status: Open

Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically, we reported that the department did not meet the practice to ensure that the inventory is regularly updated with quality controls to ensure reliability, and partially met the practices to (1) include business and enterprise IT systems, (2) include systems from all organizational components, and (3) specify basic application attributes. In March 2018, department officials provided an updated inventory, which included business and enterprise IT systems from all organizational components, and specified basic attributes, including the name, owner, and business function. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, at minimum annually, as part of the department's IT budgeting process. Further, in June 2019, officials reported that the department performs biannual reviews of all IT investments and associated systems and applications to verify reported data. The officials also reported that the department uses quality control processes and procedures to ensure consistent, standard, and complete reporting to align with all investment artifacts. However, the department did not provide evidence of these data quality efforts. In June 2019, officials also reported that the department is implementing a new system in order to maintain an ongoing comprehensive inventory of all IT assets, including applications, which it expects to have fully operational by the end of the second quarter of fiscal year 2020. We will continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of the Treasury
Status: Open

Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support. We followed up with the department to obtain this mapping. However, as of January 2020, the department had not provided it. We will continue to monitor the department's efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. Specifically, we reported that while the inventory included basic application attributes (e.g. name, description), it did not include the business function for the majority of inventory entries. Further, we reported that the agency did not provide evidence that quality control processes were in place to ensure the reliability of the data in the inventory. In July 2017, department officials stated that the department recently began a department-wide data call to obtain information on all IT assets and applications from each bureau, including aligning the assets and applications to a business function. Further, officials stated that they plan to analyze the results against their current data to ensure the accuracy and reliability of the IT asset inventory. In June 2019, the department provided evidence demonstrating that its inventory includes the business function for IT assets. In addition, State officials stated that the IT asset inventory that is posted internally for review is a high-level summary to facilitate monthly validation. However, as of January 2020, the department has not provided documentation showing that it has implemented the quality control processes to ensure the reliability of the data. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Environmental Protection Agency
Status: Open

Comments: We reported that the Environmental Protection Agency had fully met three of the four practices to establish a complete application inventory, and partially met one. Specifically, the agency partially met the practice for including application attributes in the inventory, as although EPA did not identify the business function for every application. In December 2019, Environmental Protection Agency officials stated that the inventory now requires the business function to be included, and provided inventory update instructions that show the business function is to be included. In addition, agency officials provided instructions for senior information managers to update the inventory in fiscal year 2019. However, as of January 2020, agency officials had not provided an updated inventory, and thus we were not able to verify that the business function was added for all applications. We will follow up with the agency to obtain the updated inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Office of Personnel Management
Status: Open

Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, November 2018, and November 2019, we followed up with OPM to obtain documentation of these reported actions; however, as of January 2020, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with our recommendation, noting, among other things, in its written response to our draft report, that a majority of the Enterprise Information Environment Mission Area systems are IT infrastructure, and not applications. However, we reported that the mission area nevertheless included a large number of enterprise and business IT applications which could benefit from rationalization, and we therefore believed our recommendation was still warranted. In March 2020, the department stated that it is formalizing a guide to assist components with implementing an application rationalization process, that will be used to rationalize the Enterprise Information Environment Mission Area systems. The department stated that it plans to perform annual reviews, and expects to start by the end of fiscal year 2020.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

Agency: Department of Labor
Status: Open

Comments: In February 2017, department officials stated that the department's portfolio of IT investments, which includes the systems, sub-systems, and applications in the IT asset inventory, are rationalized bi-annually as part of the Office of the Chief Information Officer's IT Capital Planning and Investment Control (CPIC) review processes. Further, officials stated that the systems and applications were also being rationalized as part of the process for updating the IT asset inventory. Officials stated that the department plans to review and update the department's CPIC guide to describe the IT asset inventory management process including the basic quality controls. In July 2019, officials reported that the department plans to have the updated guide completed by the end of fiscal year 2019. However, as of January 2020, the department had not provided documentation supporting these efforts. We plan to follow-up with the department to obtain documentation of its efforts to address the recommendation.

Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2020, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.

Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of Defense
Status: Open

Comments: In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation and is taking steps to implement it. The department stated that the issuance of an updated Cyber Incident Handling guidance is on track to be completed and coordinated in the third quarter of fiscal year 2018. As of June 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. When we confirm what actions DOD has taken, we will provide updated information.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with this recommendation. However, as of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. When we receive additional evidence from State, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. As of June 2020, NASA stated that the agency is working to update the relevant policy to address this recommendation, but the update is taking longer than expected; NASA expects the policy to be updated and the review process to be completed by November 30, 2020. We will examine the evidence when NASA provides it.

Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to define a high-level depiction of the IT systems anticipated in the future state, a description of the operations that must be performed and who must perform them, and an explanation of where and how the operations are to be carried out.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had collaborated through an IT technical assessment initiative, identifying four primary financial management modernization initiatives remaining from the New Core Program. In July 2020, HUD officials, including the Deputy Chief Financial Officer, provided a roadmap that defined a high-level depiction of the financial management systems anticipated in the future state. However, the department had not yet completed more detailed plans that (1) identify operations that must be performed and who must perform them and (2) explain where and how operations are to be carried out. We will continue to monitor HUD's efforts to address this recommendation.

Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to develop comprehensive plans for scope, schedule and cost.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had identified a need to pursue financial management systems modernization. As of July 2020, the department had begun taking action to address this recommendation. Specifically, HUD planned to integrate loan and property management into its current financial management shared service and had begun planning for how to modernize its budget formulation and cost accounting systems. For the budget formulation effort, HUD had developed high-level plans for the scope of the program, planned an implementation schedule, and estimated on the cost for implementation and operating and maintaining the system for two years. We will continue to monitor HUD's efforts to address this recommendation.

Recommendation: To address weaknesses in the department's financial management systems modernization efforts, the Secretary of HUD should direct the Chief Financial Officer to work with the Chief Information Officer in managing subsequent initiatives to ensure requirements are fully documented and traceable.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. In March 2017, the department reported that the Chief Financial Officer and the Chief Information Officer intended to partner on future departmental financial management systems modernization efforts to fully document requirements and trace requirements to the functionality in the modernized system. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had identified a need to pursue financial management systems modernization in 4 areas previously identified for the New Core program. As of July 2020, HUD was in the early phases of planning for modernization in these areas. According to officials from the Office of the Chief Financial Officer, the department intended to address this recommendation for budget formulation modernization by developing applicable plans and artifacts for managing requirements from the department's project planning and management framework. However, that effort has not yet started. We intend to continue to follow up on HUD's actions.

Recommendation: The Secretary of HUD should also direct the Deputy Secretary to ensure that the Chief Information Officer takes action to improve IT governance control activities used for monitoring programs and identifying needed corrective actions, and strengthen investment oversight by improving coordination with stakeholders and alignment among IT modernization efforts.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In its comments on our draft report, HUD neither agreed nor disagreed with our recommendations, but noted that it planned to improve management practices and IT governance for future modernization efforts. Since 2016, HUD has revised its IT governance boards, which provide oversight of all its IT investments, including financial management initiatives, several times. While the department has not yet completed those improvement efforts, HUD updated its project planning and management framework to tailor requirements and artifacts for different program types. According to an official from the Office of the Chief Financial Officer, updates to the requirements for shared services projects incorporated lessons learned from the New Core program. In April 2019, HUD reported that the Office of the Chief Information Officer and Office of the Chief Financial Officer had identified a need to pursue financial management systems modernization in 4 areas previously identified for the New Core program. Officials from both offices have described improvements in their coordination and collaboration on efforts to plan for modernization. We intend to continue to follow up on HUD's actions to ensure that planned improvements to governance and oversight mechanisms are effectively implemented and institutionalized.

Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially agreed with this recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop requirements, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to complete its efforts to ensure that it provides and tracks training for individuals with significant security responsibilities. As of March 2020, OPM has not provided evidence that it has completed these actions.

Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation. The agency has conducted security control assessments for the two systems, but these assessments did not show that technical controls were comprehensively tested. According to VA, the agency will complete the next security control assessment in October 2019 and complete the system assessment report in December 2019. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to VA informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to OMB informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, conduct uncertainty and sensitivity analyses consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. According to DOD officials, as of July 2018, this recommendation conflicts with established Office of the Under Secretary of Defense/Cost Estimation and Program Evaluation guidance for cost estimation and uncertainty analysis. Absent a change in policy at that level, the Joint Program Office will continue to follow Office of the Under Secretary of Defense/Cost Estimation and Program Evaluation policy on this issue. We continue to believe that in order for any risks associated with ALIS to be addressed expediently and holistically, uncertainty and sensitivity analysis must be used on the F-35s cost estimates to improve its overall reliability. Thus, this recommendation will remain open.

Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, ensure that future estimates of ALIS costs use historical data as available and reflect significant program changes consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. According to DOD officials, since April 2016, the F-35 program has continued to update the ALIS estimate with the latest available cost data, based on recent contracts. Until more reliable actual costs become available, the program utilizes negotiated contract costs, incorporates program initiatives, and ensures the estimate reflects the latest technical baseline and requirements. Until actual costs associated with ALIS historical data are incorporated in the F-35 cost estimate, we believe that the estimate will not be as reliable as it could be. For this reason, this recommendation will remain open.

Recommendation: To help improve the management of MAIS programs, the Secretary of the Navy should direct the Common Aviation Command and Control System program manager to identify weaknesses in the requirements traceability process and take corrective actions to manage the traceability of requirements to the respective lower-level requirements, and periodically evaluate work products, including the requirements management plan, and update them in accordance with the requirements guidance.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: DOD concurred with this recommendation and stated in March 2016 that the Navy had corrected the data query issue that caused 11 requirements to be eliminated from the traceability matrix we reviewed. DOD also stated that the Navy had identified the weakness in the traceability process that led to 14 general requirements not being fully traced. However, as of June 2020, DOD had not provided us with documentation that supports that it identified the weakness in the requirements traceability process. It also had not demonstrated that the program office has updated its requirements management guidance to address the weakness it identified.

Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of IRS' FY 2019 financial statements, IRS indicated that it had not yet implemented this recommendation. When the agency indicates that it has implemented this recommendation, we will review its actions.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to define procedures for overseeing state-based marketplaces, to include day-to-day activities of the relevant offices and staff.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to require continuous monitoring of the privacy and security controls over state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to develop and periodically update a set of authoritative climate change observations and projections for use in federal decision making, which state, local, and private sector decision makers could also access to obtain the best available climate information.

Agency: Executive Office of the President
Status: Open

Comments: As of January 2020, the Executive Office of the President has yet to take action in response to this recommendation.

Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to create a national climate information system with defined roles for federal agencies and nonfederal entities with existing statutory authority.

Agency: Executive Office of the President
Status: Open

Comments: As of January 2020, the Executive Office of the President has yet to take action in response to this recommendation.

Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: During our audit of IRS's FY 2019 financial statements, , the agency submitted this recommendation for closure, but our testing determined it should remain open. Subsequently, IRS updated its anticipated closure date for the recommendation to July 2020. As part of our FY 2020 audit, we will continue to monitor IRS's progress in ensuring that its control testing methodology and results fully meet the intent of the control objectives being tested.

Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: During the audit of IRS's FY 2019 financial statements, the agency submitted this recommendation for closure, but our testing determined that it should remain open. While IRS continued to make positive steps to address our recommendation, the agency's implementation of corrective actions did not fully address it. As part of our FY 2020 audit, we will continue to monitor IRS's progress in strengthening its remedial action verification process and ensuring its corrective actions are fully implemented.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

Agency: Department of Defense
Status: Open

Comments: As of January 2020, DOD had made limited progress addressing our recommendation for business system programs; however, it had not addressed the recommendation for non-business system programs. Specifically, the department updated its instruction on business systems requirements and acquisition to include, among other things, guidance on establishing baselines against which to measure progress for developing needed business capability. However, the instruction did not explicitly require that a program baseline be established within 2 years. Specifically, according to the instruction, baselines may be established at the program level or at the release level (i.e., for a manageable subset of functionality in support of the business capability), within 2 years after programs have validated a business capability is needed and received approval to conduct solution analysis. If at the program level, the baseline is to be set prior to the development of the first release or deployment. If at the release level, the baseline is to be set prior to the development of each release or deployment. In January 2020, the department also issued interim policy for software-intensive systems. However, while the interim policy requires program managers to develop an acquisition strategy that includes delivering software within one year from the date funds are first obligated to acquire or develop new software capability, the interim policy does not require software-intensive system programs to establish a program baseline within 2 years.

Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to help ensure that DOD possesses the capability to collect and report statutorily required information and to clarify responsibilities and procedures, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics to update SPOT provisions during the process of updating operational contract support guidance.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In August 2018, the office of the Assistant Secretary of Defense for Logistics and Materiel Readiness reported that an update of DOD Instruction 3020.41 is in progress, and will include updated SPOT provisions. However, as of August 2020, the updated instruction had not been issued.

Recommendation: To help improve DOD, State, and USAID's ability to track contracts and contractor personnel in contingency operations and to provide clarity about expectations for the Joint Asset Movement Management System (JAMMS) that can help improve the timeliness and reliability of data for SPOT-ES from JAMMS uploads, the Secretary of Defense should direct the Chairman of the Joint Chiefs of Staff, in coordination with the combatant commanders, to develop comprehensive guidance regarding the purpose of JAMMS and its role in supporting plans for different types of missions. Such guidance could include direction on the number and location of JAMMS terminals and how frequently JAMMS's data should be uploaded into SPOT-ES to meet DOD's information needs.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. DOD stated that it agreed to provide clarity regarding the purpose and use of JAMMS to improve the timeliness and reliability of JAMMS data, though it did not agree that such guidance could include direction on the number and location of JAMMS terminals and how frequently JAMMS's data should be uploaded into SPOT-ES. DOD stated that it would revise language in DOD Instruction 3020.41, Operational Contract Support, to reflect in policy the requirement to use the entire SPOT Enterprise Suite (SPOT-ES), which includes JAMMS. DOD also stated that the combatant commander should establish the requirements for terminal quantities and locations and for data upload schedules based on operational needs in the relevant theater. We agreed with DOD that the combatant commands need flexibility based on operational requirements. In August 2018, the office of the Assistant Secretary of Defense for Logistics & Materiel Readiness reported that the update to DOD Instruction 3020.41 is in progress and will clarify information on the JAMMS capability. However, as of August 2020, the updated instruction had not been issued. Updated SPOT-ES Business Rules dated May 10, 2018 incorporate the role of JAMMS in maintaining visibility of contractor personnel.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to improve reporting of FOIA costs by including salaries, employee benefits, non-personnel direct costs, indirect costs, and costs for other offices.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to direct USCIS and Coast Guard to fully implement the recommended FOIA processing system capabilities and the section 508 requirement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to determine the viability of re-establishing the service-level agreement between the U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement to eliminate duplication in the processing of immigration files. If the benefits of doing so would exceed the costs, re-establish the agreement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: The Commission should direct the appropriate officials to establish and implement written procedures for conducting all physical inventory counts of equipment. These procedures, at a minimum, should outline the processes for (1) planning and executing the physical inventory count and (2) analyzing and documenting the results.

Agency: American Battle Monuments Commission
Status: Open

Comments: During our audit of the American Battle Monuments Commission's (Commission) fiscal year 2011 financial statements, we found that the Commission had not performed independent physical inventory of equipment owned by the Commission at the various cemeteries across the world. We found that although the Commission had a policy to perform biennial physical inventory counts of all equipment over $500, this policy was not adhered to during fiscal year 2011. Further, the policy did not explain how to plan, execute, and analyze the results of an inventory count. As a result, we recommended that the Secretary of the Commission instruct the appropriate officials to establish and implement written procedures for conducting all physical inventory counts of equipment. These procedures, at a minimum, should outline the processes for (1) planning and executing the physical inventory count and (2) analyzing and documenting the results. During our follow-up, the Commission informed us that they plan to implement procedures to address this recommendation but have not dedicated resources to it yet. We will continue to follow-up on this recommendation.

Recommendation: The Commission should direct the appropriate officials to establish a mechanism to monitor implementation of existing Commission policy to perform biennial physical inventory counts of all items of equipment with an obligated balance of $500 or more.

Agency: American Battle Monuments Commission
Status: Open

Comments: During our audit of the American Battle Monuments Commission's (Commission) fiscal year 2011 financial statements, we found that the Commission had not performed independent physical inventory of equipment owned by the Commission at the various cemeteries across the world. We found that although the Commission had a policy to perform biennial physical inventory counts of all equipment over $500, this policy was not adhered to during fiscal year 2011. As a result, we recommended that the Secretary of the Commission direct the appropriate officials to establish a mechanism to monitor implementation of existing Commission policy to perform biennial physical inventory counts of all items of equipment with an obligated balance of $500 or more. During our fiscal year 2012 audit, we found that although the Commission had performed a comparison of the equipment on hand to the data recorded in SharePoint (document management web application to share documents internally), an independent physical inventory was not performed. We determined that the Commission had not established a mechanism for performing an inventory of assets. During our follow-up, the Commission informed us that they plan to implement procedures to address this recommendation but have not dedicated resources to it yet. We will continue to follow-up on this recommendation.

Recommendation: The Secretary of Defense should direct the Secretary of the Navy to develop a plan to share UII data enterprisewide.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In January 2019, according to DOD officials, the Navy was still revising its policies and guidance documents to include information on sharing UII data enterprise wide. They expected a revised Secretary of the Navy instruction to undergo review in Fiscal Year 2019 and an OPNAV supporting instruction to follow, once the Secretary of the Navy instruction is released. However, as of September 2019, the relevant Secretary of the Navy instruction had not been updated.

Recommendation: To help ensure the success of FDA's modernization efforts, the Commissioner of FDA should direct the CIO to, in completing the assessment of Mission Accomplishments and Regulatory Compliance Services (MARCS), develop an integrated master schedule (IMS) that (1) identifies which legacy systems will be replaced and when; (2) identifies all current and future tasks to be performed by contractors and FDA; and (3) defines and incorporates information reflecting resources and critical dependencies.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: In 2018, we confirmed that FDA, in response to our recommendation, began efforts to identify which legacy systems will be replaced. FDA also developed an IMS for fiscal year (FY) 2017 and 2018 that identifies current and future tasks to be performed by contractors and FDA. However, FDA's IMS for FY 2017 and 2018 does not fully and clearly define resources. For example, although the FY 2017 IMS includes 265 names, roles, and teams, only 16 percent of activities have resource assignments. Further, FDA's fiscal year 2018 IMS does not fully define critical dependencies. For example, there are 14 activities and milestones with finish dates that are not properly tied to logic. Specifically, the finish dates of the 14 activities are not clearly tied to succeeding activities in the schedule. We contacted FDA in September and December 2019 and January 2020 for an update on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.

Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development, should different time frames be necessary, to establish a written policy that clearly describes the applicability of the time frames for each type of IRIS assessment and ensures that the time frames are realistic and provide greater predictability to stakeholders.

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of March 2020, we have not seen a formal written memo from the IRIS program laying out this information - in detail - publicly, or how timelines for assessments are influenced by various criteria. While IRIS program staff have discussed this issue, no written guidance has been created. Such communication from the IRIS Program, as well as more frequent updates of the timelines for chemicals currently in assessment and projected starting dates for every chemical listed as "under assessment" is needed.

Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to annually publish the IRIS agenda in the Federal Register each fiscal year.

Agency: Environmental Protection Agency
Status: Open

Comments: As of March 2020, EPA's Integrated Risk Information System (IRIS) Program has established the priority chemicals it is working on, and has published some timelines via the IRIS Program Outlook document. However, this information has not been published as an agenda in the Federal Register.

Recommendation: To improve the Bureau's use of its master schedule to manage the 2020 decennial census, the Secretary of Commerce should require the Director of the U.S. Census Bureau to include estimates of the resources, such as labor, materials, and overhead costs, in the 2020 integrated schedule for each activity as the schedule is built, and prepare to carry out other steps as necessary to conduct systematic schedule risk analyses on the 2020 schedule.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce neither agreed nor disagreed with this recommendation. Regarding GAO's 2013 assessment of the Bureau's schedule (GAO-14-59), Bureau officials stated that they hoped to begin identifying the resources needed for each activity in their schedules by early 2014. Bureau officials announced they had completed the 2020 Census schedule in July 2016, and have since periodically described their intent to link resources to activities within their schedules. However, as of May 2018, when the Bureau had not taken these steps. Senior Bureau officials stated that it would require additional staffing in order to plan for and implement this recommendation. In July 2018 (GAO-18-589) we reported again on the status of the Bureau's scheduling, stating that when the Bureau has resource loaded its schedule, it will be able to use the schedule more effectively as a management tool. The Bureau took steps toward assigning resources to its master activity schedule for the 2020 Census, but effectively ran out of time to do so. Assigning resources to large complex schedules is easier to do early in schedule development process, as we recommended the Bureau do in 2009 for its 2020 Census schedule. This recommendation will remain open pending the Bureau taking steps in developing its 2030 schedule with appropriate resources linked to it.