Recommendation: The Secretary of Agriculture should ensure that the agency fully implements the category management activity to reduce unaligned IT spending, by performing an analysis of alternatives to justify the agency's unaligned IT contracts. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements the category management activity to develop and implement vendor management strategies, by implementing the strategies it had developed. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements the category management activity to share prices paid, terms, and conditions for purchased IT goods and services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency finishes implementing its process to analyze IT contract data. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should ensure that the agency develops and implements strategies to address duplication identified through the use of spend analyses. (Recommendation 5)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the agency fully implements the category management activity to reduce unaligned IT spending. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the agency documents its annual spend analyses used to identify opportunities to reduce IT contract duplication. (Recommendation 7)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the agency uses a spend analysis on a regular basis to identify IT contract duplication. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice fully implements the category management activity to reduce unaligned IT spending, by performing an analysis of alternatives to justify the agency's unaligned IT contracts. (Recommendation 9)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice fully implements the category management activity to share prices paid, terms and conditions for purchased IT goods and services. (Recommendation 10)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice fully implements the category management activity to engage the workforce in training regarding category management principles and practices, by tracking its workforce's attendance in the training. (Recommendation 11)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice uses a spend analysis to identify opportunities to reduce IT contract duplication. (Recommendation 12)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Department of Justice develops and implements strategies to address duplication identified through the use of spend analyses. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of State should ensure that the agency fully implements the category management activity to develop and implement vendor relationship management strategies, by executing its vendor management plan. (Recommendation 14)

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to develop processes and policies for implementing the agency's category management efforts. (Recommendation 15)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to reduce unaligned IT spending, by performing an analysis of alternatives to justify the agency's unaligned IT contracts. (Recommendation 16)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to develop and implement vendor relationship management strategies. (Recommendation 17)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements the category management activity to share prices paid, terms and conditions for purchased IT goods and services. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency uses a spend analysis to identify opportunities to reduce IT contract duplication. (Recommendation 19)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency develops and implements strategies to address duplication identified through the use of spend analyses. (Recommendation 20)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish measures to determine if the department is succeeding in achieving its goal to improve its financial management systems. Specifically, it should document targets and time frames to define the level of performance to be achieved. It should also document how DOD plans to measure expected outcomes by identifying data sources, how it plans to measure values, and how DOD plans to verify and validate measured values. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish a specific time frame for developing an enterprise road map to implement its financial management systems strategy, and ensure that it is developed. The road map should document the current and future states at a high level, from an architecture perspective, and present a transition plan for moving from the current to the future in an efficient, effective manner. The road map should discuss performance gaps, resource requirements, and planned solutions, and it should map DOD's financial management systems strategy to projects and budget. The plan should also document the tasks, time frames, and milestones for implementing new solutions, and include an inventory of systems. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to develop detailed migration plans for the Air Force's General Accounting and Finance System-Reengineered, Navy's Standard Accounting and Reporting System, and Army's Standard Finance System and the Standard Operation and Maintenance Army Research and Development System. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to establish performance goals that include performance indicators, targets and time frames, to monitor the status of efforts to address IT-related audit findings. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to implement a mechanism for identifying financial management systems that support the preparation of the department's financial statements in the department's systems inventory and budget data, and identify a complete list of financial management systems. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Chief Management Officer and other entities, as appropriate, to ensure that the department limits investments in financial management systems to only what is essential to maintain functioning systems and help ensure system security until it implements the other recommendations in this report. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should develop formal procedures that include specific steps to be taken in the APD review process, including how CMS will document the review (including the name of the reviewer, date of review, and what was reviewed); what documentation should be retained after the review; as well as decision-making criteria for approval or denial decisions for state Medicaid IT funding requests. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, as part of the APD review process and prior to approval, verify that all of the required information (e.g. alternatives analysis, feasibility study, and cost benefit analysis) is included in the funding request. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that all APD-related artifacts are retained within the designated CMS document management system, including documentation of key information from meetings and email communications with the states, the MITA self-assessment and independent verification and validation reports, when creating APD decision packages. (Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should require analysts to maintain relevant MMIS and E&E system artifacts based on the entire system life cycle instead of individual APDs. (Recommendation 4)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, in consultation with the HHS and CMS CIOs, develop a documented, comprehensive, and risk-based process for how CMS will select IT projects for technical assistance and provide recommendations to states to assist them in improving the performance of the systems, with consideration to those that are high-cost and performing poorly. (Recommendation 5)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should encourage state Medicaid program officials to consider involving state CIOs in overseeing Medicaid IT projects. (Recommendation 6)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish a timeline for implementing the outcome-based certification process for MMIS and E&E systems. (Recommendation 7)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should establish documented procedures for how the results of the outcome-based certification process will be used for conducting oversight and making funding decisions. The procedures should include specific steps that CMCS will take to oversee individual state MMIS and E&E projects and how it will demonstrate that the steps have been taken. (Recommendation 8)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Prior to approving funding for MMIS and E&E systems, the Administrator of CMS should identify areas of duplication or common functionality, such as core MMIS modules, in order to facilitate sharing, leveraging, or reusing Medicaid technologies. CMS should share the results of the review with the state or territory requesting federal funding for a duplicative or similar project and take steps to encourage states to share, leverage, or reuse Medicaid technologies, where possible. (Recommendation 9)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 7)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 8)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should configure its CDM tools to compare configuration settings against federal core benchmarks and agency-specific variations applicable to its environment. (Recommendation 9)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools. (Recommendation 10)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 11)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should configure its CDM tools to compare configuration settings against federal core benchmarks applicable to its environment. (Recommendation 12)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 13)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 14)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should configure its CDM tools to compare configuration settings against agency-specific benchmarks applicable to its environment. (Recommendation 15)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the Social Security Administration should ensure the Office of Acquisition and Grants, in consultation with the Chief Information Officer, revises relevant guidance to identify the role of contracting officials in the Agile software development process.

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration agreed with the recommendation but has not yet taken actions to implement it.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support assesses and addresses the causes of data errors and inconsistent entries in MISLE as identified by program offices and MISLE users, including reviewing MISLE training and data validation processes. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support uses the results of its 2019 Standardization Team assessment of command centers to develop a plan for improving the consistency and accuracy of MISLE data identified in its report. (Recommendation 2)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support and the Deputy Commandant for Operations use the processes outlined in the SELC to identify needed enhancements across the MISLE system by developing an updated mission needs statement. (Recommendation 3)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support and the Deputy Commandant for Operations use the processes outlined in the SELC to identify and analyze alternatives, and objectively select the preferred solution for MISLE to meet approved mission needs. (Recommendation 4)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Director of Strategic Technology Management (STM), in collaboration with other members of the Information Technology Program Management Center of Excellence (ITPM COE), identifies the skills and resources needed to complete the work intended for the upcoming fiscal year, including the availability of supplementary staff, such as subject matter experts. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Executive Steering Committee overseeing the activities of the ITPM COE establishes target measures for the department's desired outcomes of its transition to Agile development. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the DHS Chief Information Officer (CIO) defines a process and associated set of controls to ensure that Agile programs and projects are reporting a set of core required performance metrics for monitoring and measuring Agile adoption. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the ITPM COE, in coordination with the CIO, begins measuring results associated with the transition to Agile and the success of the transition based on its impact on the department. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for senior stakeholders. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the Chief Human Capital Officer, in collaboration with the CIO, consider modifications to the current employee recognition and performance management governance to ensure that teamwork and team performance of Agile programs and projects are incentivized. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Chief Procurement Officer, through the Homeland Security Acquisition Institute, establish Agile training requirements for staff outside of the acquisition workforce but assigned to Agile programs. (Recommendation 7)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, tracks and monitors the pace of Agile team development. (Recommendation 8)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, in collaboration with the Executive Director of the Office of Program Accountability and Risk Management (PARM), update or develop new guidance on Agile methodologies to describe how Agile teams can estimate the relative complexity of user stories. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary should ensure that the CIO, upon establishing a set of core performance metrics, sets expectations for automated testing and code quality, and tracks and monitors against those expectations. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD Chief Management Officer direct the task force, in consultation with the resale organizations, to reassess its methodology for estimating IT costs of consolidation, and make any necessary adjustments to its range of IT cost estimates and provide that updated information to Congress. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In August 2020, DOD stated that it had intended to convene an IT working group to reassess the methodology and begin detailed IT consolidation planning, but the COVID-19 pandemic delayed this plan. DOD also said that the working group will form as soon as conditions allow and estimated that the working group will complete its work by October 31, 2020. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the DOD Chief Management Officer provide additional written information to Congress on the comments and concerns from the military departments and resale organizations on the task force's November 2018 business case analysis, as well as the task force's response to those comments and concerns. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: DOD did not concur with this recommendation. In its written comments on our report, DOD stated that all the submitted comments were considered in the department's decision-making process; that all of the military department secretariats agreed with above-store consolidation, despite their comments on the business case analysis; and that the military department comments regarding the business case analysis were shared with congressional committee professional staff, even though the comments were not included in DOD's report to Congress so as to protect the department's deliberative process. In an August 2020 memorandum to GAO, DOD provided similar comments, stating that it considered all comments in its decision-making process and did not attach the comments to its report to Congress in order to protect DOD's internal deliberations. If DOD takes action to respond to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should develop a government-wide communications strategy to inform and, as appropriate, involve Congress, employees, and other stakeholders in implementation of the reform proposal to solve the cybersecurity workforce shortage. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should establish a dedicated government-wide leadership team with responsibility for implementing the reform proposal to solve the cybersecurity workforce shortage. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should develop a government-wide implementation plan with goals, timelines, key milestones, and deliverables to track and communicate implementation progress of the reform proposal to solve the cybersecurity workforce shortage. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should provide additional information to describe how the projects and activities associated with the reform proposal to solve the cybersecurity workforce shortage will address our high-risk issues related to ensuring the cybersecurity of the nation. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB, working with DHS, should develop a government-wide workforce plan that assesses the effects of the reform proposal to solve the cybersecurity workforce shortage on the current and future federal workforce. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should assess the costs and benefits of options for operating the GEAR Center. (Recommendation 6)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should develop an implementation plan that includes outcome-oriented goals, timelines, key milestones, and deliverables to track and communicate implementation progress of the reform proposal to establish the GEAR Center. (Recommendation 7)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates Commerce's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 1)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer completes efforts to identify future telecommunications needs using a complete inventory of existing telecommunications services; conducts and documents a comprehensive strategic analysis at all bureaus to identify areas for optimization and sharing of telecommunications resources; evaluates the costs and benefits of implementing new telecommunications technology and alternative options at all bureaus; and fully aligns Commerce's telecommunications needs with its long-term IT plans and enterprise architecture. (Recommendation 2)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer finalizes the responsibilities related to the information security management role during the telecommunications transition, and assigns the roles for providing legal expertise during the transition, as well as for managing human capital, telecommunications assets, and information security during the transition, to staff members; describes how changes and disruptions related to the transition will be communicated to end users at all bureaus and identifies the key local and regional agency transition officials responsible for disseminating information about the transition to employees and working with the vendor to facilitate transition activities in Commerce's transition communications plan; and establishes and implements configuration and change management processes for its transition. (Recommendation 3)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer identifies all of the funding needed to support the telecommunications transition; justifies requests for resources related to transition program management staff; conducts an analysis to identify staff resources needed for the entire transition effort; and analyzes training needs for staff assisting with the transition. (Recommendation 4)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Commerce should ensure that the agency's Chief Information Officer takes into account the agency's telecommunications transition risks, mission critical systems, and contingency plans in Commerce's transition time line. (Recommendation 5)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: Commerce concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer develops a policy that requires the agency's components to maintain an inventory of the telecommunications assets and services that they acquire independently from headquarters; updates the telecommunications inventory to include all telecommunications assets and services in use at HHS, and updates the agency's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 6)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer completes efforts to identify future telecommunications needs using a complete inventory of existing telecommunications services; and aligns HHS's telecommunications needs with its long-term IT plans. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer identifies and documents telecommunications transition roles and responsibilities related to (1) managing assets and human capital during the planning and execution phases of the transition and (2) providing legal expertise during the execution phase of the transition, and assigns the transition information security management role to a staff member; and establishes and implements configuration and change management processes for HHS's transition. (Recommendation 8)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer identifies all of the funding needed to support the telecommunications transition at each of the agency's components, justifies requests for transition resources related to hardware and software upgrades, conducts an analysis to identify staff resources needed for the entire transition effort, and analyzes training needs for staff assisting with the transition. (Recommendation 9)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Health and Human Services should ensure that the agency's Chief Information Officer completes efforts to identify telecommunications transition measures of success that can be used to assess transition progress; and takes into account all of the agency's components, as well as its mission critical systems, contingency plans,and telecommunications transition risks, in HHS's transition time line. (Recommendation 10)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: HHS concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates State's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 11)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: he Secretary of State should ensure that the agency's Chief Information Officer completes efforts to identify the agency's future telecommunications needs using a complete inventory of existing telecommunications services; conducts and documents a strategic analysis to justify the sharing of telecommunications resources; and aligns State's telecommunications needs with its long-term IT plans and enterprise architecture. (Recommendation 12)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer identifies telecommunications transition roles and responsibilities related to (1) managing assets during the planning and execution phases of the transition and (2) providing legal expertise during the execution phase of the transition, and finalizes the responsibilities related to the information security management role for the transition; includes in State's transition communications plan the frequency with which transition status updates and meetings will occur throughout the transition, a description of how changes and disruptions related to the transition will be communicated to end-users, and the key local and regional agency transition officials responsible for disseminating information about the transition to employees and working with the vendor to facilitate transition activities; and establishes configuration management processes for the agency's transition. (Recommendation 13)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer identifies all of the funding needed to support the telecommunications transition, justifies requests for resources related to transition program management staff, conducts an analysis to identify staff resources needed for the entire transition effort, and finalizes its analysis of training needs for staff assisting with the transition. (Recommendation 14)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of State should ensure that the agency's Chief Information Officer takes into account the agency's telecommunications transition risks, mission critical systems, and contingency plans in State's transition time line. (Recommendation 15)

Agency: Department of State: Office of the Secretary
Status: Open

Comments: State concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates and finalizes VA's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 16)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer completes efforts to identify future telecommunications needs using a complete inventory of existing telecommunications services, and determines and documents that VA's telecommunications needs are aligned with its long-term IT plans. (Recommendation 17)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer includes in its telecommunications transition communications plan the key local and regional agency officials responsible for disseminating information about the transition to employees and working with the vendor to facilitate transition activities; and establishes and uses cost and schedule management processes in the agency's transition. (Recommendation 18)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer identifies and documents all of the funding needed to support the telecommunications transition, including costs for all years of transition planning support; justifies requests for transition resources related to program management staff; conducts an analysis to identify staff resources needed for the entire transition effort; and analyzes training needs for staff assisting with the transition. (Recommendation 19)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency's Chief Information Officer completes efforts to identify telecommunications transition measures of success that can be used to assess transition progress; and takes into account the agency's telecommunications transition risks, mission critical systems, and contingency plans in VA's transition time line. (Recommendation 20)

Agency: Department of Veterans Affairs: Office of the Secretary
Status: Open

Comments: VA concurred with this recommendation. We will continue to follow-up on the department's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer updates the telecommunications inventory to include all telecommunications assets and services in use at the agency, and updates NASA's process for ongoing maintenance of the inventory to include the complete inventory. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer completes efforts to identify the agency's future telecommunications needs using a complete inventory of existing telecommunications services. (Recommendation 22)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer identifies telecommunications transition roles and responsibilities related to (1) managing human capital during the planning and execution phases of the transition and (2) providing legal expertise during the execution phase of the transition. (Recommendation 23)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer conducts an analysis to support the anticipated cost savings identified as part of the agency's justification for its resource requests related to hardware and software upgrades for the telecommunications transition, and justifies its resource requests for transition program management staff; conducts an analysis to identify staff resources needed for the entire transition effort; and analyzes training needs for staff assisting with the transition. (Recommendation 24)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's Chief Information Officer takes into account the agency's mission critical systems and contingency plans in NASA's telecommunications transition time line. (Recommendation 25)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. We will continue to follow-up on the agency's efforts to address it.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Acting Director of BLM should develop a documented process to consistently implement the APD prioritization process outlined in Instruction Memorandum 2013-104 at all field offices. (Recommendation 1)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: The Department of the Interior, on behalf of BLM, did not concur with this recommendation. As of August 2020, BLM has not taken steps to address this recommendation.

Recommendation: The Acting Director of BLM should instruct agency staff to document formal change management processes for the rollout of future AFMSS II modules consistent with leading software development practices. (Recommendation 2)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: The Department of the Interior, on behalf of BLM, did not concur with this recommendation--although, it did state that it agreed with the premise of the need to further improve its formal change management procedures. As of August 2020, BLM has not taken actions to address this recommendation.

Recommendation: The Acting Director of BLM should document and implement an action plan that identifies potential corrective actions based on previous lessons learned to address any challenges with the rollout of future AFMSS II modules. (Recommendation 3)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: The Department of the Interior, on behalf of BLM, agreed with this recommendation. In its agency comment letter, the Department said that the BLM AFMSS team would implement adjustments and improvement based on the collected lessons learned. They also stated that upon completion of the last Field Office implementation and conversion to AFMSS II, BLM will conduct a formal program review and an annual operational assessment, which will also present opportunities for annual corrective actions and additional lessons learned considerations. As of August 2020, BLM has not taken actions to address this recommendation.

Recommendation: The Director of the Office of Management and Budget should (1) require that agencies explicitly document annual data center closure goals in their DCOI strategic plans and (2) track those goals on the IT Dashboard. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Director of the Office of Management and Budget should require agencies to report in their quarterly inventory submissions those facilities previously reported as data centers, even if those facilities are not subject to the closure and optimization requirements of DCOI. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Director of the Office of Management and Budget should document OMB's decisions on whether to approve individual data centers when designated by agencies as either a mission critical facility or as a facility not subject to DCOI. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Director of the Office of Management and Budget should take action to address the key performance measurement characteristics missing from the DCOI optimization metrics, as identified in this report. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) has not yet taken action to address this recommendation. We will continue to monitor the agency's efforts to implement this recommendation.

Recommendation: The Secretary of Agriculture should take action to achieve its data center-related cost savings target established under DCOI by OMB. (Recommendation 5)

Agency: Department of Agriculture
Status: Open

Comments: In comments on our report, the Department of Agriculture (Agriculture) agreed with our recommendation and stated that it planned to meet the cost savings target in 2020. We will continue to monitor Agriculture's efforts to implement this recommendation.

Recommendation: The Secretary of Commerce should take action to achieve its data center-related cost savings target established under DCOI by OMB. (Recommendation 6)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: In comments on our report, the Department of Commerce (Commerce) agreed with our recommendation and described actions that they planned to take in order to address the recommendation. We will continue to monitor Commerce's efforts to implement this recommendation.

Recommendation: The Secretary of Commerce should take action to meet its data center optimization metric targets established under DCOI by OMB. (Recommendation 7)

Agency: Department of Commerce: Office of the Secretary
Status: Open

Comments: In comments on our report, the Department of Commerce (Commerce) agreed with our recommendation and described actions that they planned to take in order to address the recommendation. We will continue to monitor Commerce's efforts to implement this recommendation.

Recommendation: The Administrator of the National Aeronautics and Space Administration should take action to achieve its data center-related cost savings target established under DCOI by OMB. (Recommendation 8)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In comments on our report, the National Aeronautics and Space Administration (NASA) agreed with our recommendation and described actions that the agency planned to take to address the recommendation. NASA stated that it expected to complete these actions by March 31, 2020. Once we have obtained and assessed evidence of the agency's actions taken, we will update the status of this recommendation.

Recommendation: The Director of NIST should establish time frames for completing NIST's initiatives, to include the information security measurement program and the cybersecurity framework starter profile, to enable the identification of sector-wide improvements from using the framework in the protection of critical infrastructure from cyber threats. (Recommendation 1)

Agency: Department of Commerce: National Institute of Standards and Technology: Office of the Director
Status: Open

Comments: In written comments provided in July 2020, the Department of Commerce (Commerce) stated that it agreed with our recommendation. It noted that to further establish its Cybersecurity Measurement program, the National Institute of Standards and Technology (NIST) will document its Cybersecurity Measurement program's scope, objectives, and approach, including an inventory of existing measurement resources. Additionally, to further amplify small business awareness of cybersecurity, and of the Cybersecurity Framework, it noted that NIST will develop and publish two Cybersecurity Framework starter profiles tailored toward risk management of business processes important to small business owners. The expected completion date is September 2020.

Recommendation: The Secretary of Agriculture, in coordination with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In written comments provided in April 2020, the United States Department of Agriculture (USDA) stated that it concurred with our recommendation. The department stated that it routinely shared framework guidance provided by the Department of Homeland Security and discussed the framework as part of its monthly Sector conference calls and biannual Sector Meetings. It also added that the department will continue to strengthen its coordination efforts.

Recommendation: The Secretary of Defense should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In written comments provided in July 2020, the Department of Defense concurred with our recommendation. The department noted that it had developed processes and resources to help determine the type of framework adoption across the Defense Industrial Base. These include conducting assessments on the implementation of NIST Special Publication (SP) 800-171 , "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations;" and releasing the Defense Industrial Base Implementation Guide for the NIST Cybersecurity Framework. However, the department has yet to report on sector-wide improvements using these processes and resources. Until it does so, its critical infrastructure sector may not fully understand the value of the framework to better protect its critical infrastructure from cyber threats. The expected completion dates are in September and November 2020.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 4)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Energy (DOE) stated that it partially agreed with our recommendation. It noted that DOE will coordinate with the Energy Sector to develop an understanding of sector-wide improvements from use of the framework. The expected completion date is December 2021.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: In written comments provided in July 2020, the Environmental Protection Agency (EPA) stated that it agreed with our recommendation. It noted that it will consult with the Water Sector Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology, as appropriate, to investigate options to collect and report sector-wide improvements, consistent with statutory requirements and the Sector's willingness to participate. However, the department did not provide a timeframe for completing these actions.

Recommendation: The Administrator of the General Services Administration, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the Coordinating Council and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: In April 2020, the General Services Administration (GSA), in coordination with its co-SSA, the Department of Homeland Security (DHS), provided documentation demonstrating that it had initiated steps to collect and report on sector-wide improvements from use of the NIST Cybersecurity Framework across its critical infrastructure sector. Specifically, the agencies from the government sector had submitted their risk management reports to DHS and OMB that described agencies' action plans to implement the framework, as required under Executive Order 13800 and evaluated the agencies against the five functions of the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond, and Recover. The risk management reports are included as part of OMB's FISMA Annual Report to Congress. According to OMB's FISMA Annual Report to Congress, OMB and DHS determined that 71 of 96 agencies (74 percent) have cybersecurity programs that are either at risk or high risk. As a result, improvements were identified in the form of four core actions in the Federal Cybersecurity Risk Determination Report and Action Plan, which include: (1) Implementing the Cyber Threat Framework to increase cybersecurity threat awareness among Federal agencies, (2) Standardize IT and cybersecurity capabilities, (3) Consolidate agency SOCs to improve incident detection and response capabilities, and (4) Drive accountability across agencies through improved governance processes, recurring risk assessments, and OMB's engagements with agency leadership. We are waiting for additional information from GSA and DHS on the status of the four core actions.

Recommendation: The Secretary of Health and Human Services, in coordination with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 7)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of Health and Human Services (HHS) stated that it concurred with our recommendation. The department noted that it would work with the appropriate entities to refine and communicate best practices to the sector.

Recommendation: The Secretary of Homeland Security should take steps to consult with respective sector partner(s), such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sectors using existing initiatives. (Recommendation 8)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: In written comments provided in February 2020, the Department of Homeland Security (DHS) stated that it agreed with our recommendation. It noted that in coordination with the IT Sector Coordinating Council, the department recently issued a survey to small and mid-sized IT sector partners to better understand framework adoption and use within the IT sector. Once the results of the survey are received, DHS's Cybersecurity and Infrastructure Security Agency will determine the feasibility of issuing similar surveys to other sectors, and the potential timelines for completing sector-specific survey modifications, issuing surveys, compiling responses, and developing white papers on the status of framework adoption for each sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of Transportation, in coordination with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s) such as the SCC and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 9)

Agency: Department of Transportation: Office of the Secretary
Status: Open

Comments: In written comments provided in April 2020, the Department of Transportation (DOT) stated that it concurred with our recommendation. It noted that the department (through the Office of the Secretary, Office of Intelligence, Security, and Emergency Response) and the Department of Homeland Security (through the Transportation Security Administration and United States Coast Guard) will coordinate as Co-Sector-Specific Agencies for the Transportation Systems Sector to finalize the development and distribution of a survey instrument to determine the level and type of framework adoption in the Sector. The department expects completion of this work by December 31, 2021.

Recommendation: The Secretary of the Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS, and NIST, as appropriate, to collect and report sector-wide improvements from use of the framework across its critical infrastructure sector using existing initiatives. (Recommendation 10)

Agency: Department of the Treasury: Office of the Secretary
Status: Open

Comments: In written comments provided in January 2020, the Department of the Treasury (Treasury) stated that it agreed with our recommendation. The department noted that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from the use of the NIST Framework. The department did not provide a timeframe for completing these actions.

Recommendation: The Chief Counsel of the Internal Revenue Service, in coordination with appropriate offices, should identify and document parameters and procedures for applying enhanced collaborative approaches to regulation and other guidance development with IRS Business Operating Divisions. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of August 2020, IRS disagrees with this recommendation and does not plan to take action on it. IRS officials said their Chief Counsel Directives Manual provides sufficient guidance and flexibility to allow for enhanced collaboration when appropriate. However, officials acknowledged that this collaboration was particularly helpful in implementing TCJA provisions and greatly contributed to IRS's successful implementation. By implementing this recommendation, IRS can help ensure that institutional knowledge and beneficial practices from TCJA implementation will be documented and effectively leveraged to support implementation of future time-sensitive or complex tax law changes without restricting IRS's flexibility. Documenting procedures would ensure IRS can retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel.

Recommendation: The Commissioner of Internal Revenue should develop a process to accurately and thoroughly capture implementation status of ongoing projects in accordance with Standards for Internal Control in the Federal Government. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of August 2020, IRS disagrees with this recommendation and does not plan to take action on it. IRS officials acknowledged inconsistencies in reports but said these inconsistencies were not detrimental to overall implementation. We maintain that accurately and thoroughly capturing implementation status on ongoing projects would provide accurate information to decision makers and could prevent potential misreporting, mismanagement, or inefficient resource investment in the future.

Recommendation: The Commissioner of Small Business/Self Employed should coordinate with appropriate IRS divisions or offices to identify the costs and benefits of retroactively transcribing taxpayer data resulting from TCJA. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of August 2020, IRS disagrees with this recommendation and does not plan to take action on it. IRS officials said the retroactive transcription of TCJA returns would be a time intensive activity with significant opportunity costs, and that the benefits of retroactive transcription are currently not quantifiable. A high-level analysis of costs and benefits could help IRS management determine what, if any, data would benefit compliance and enforcement efforts. IRS could use readily available existing information (such as the number of returns affected by a certain provision, LB&I and IT cost data on conversion efforts already implemented, or the usefulness of past compliance analytics in similar areas) to inform the analysis. For example, IRS staff are manually reviewing certain forms associated with one TCJA provision for compliance purposes and IRS could use information from this effort (e.g., amount of time and any compliance results) to inform a high-level estimate of costs and benefits.

Recommendation: Based on the costs and benefits identified in recommendation 3, the Commissioner of Small Business/Self Employed should determine which TCJA provisions' data should be converted into a more useful electronic format for compliance and enforcement purposes and work with the appropriate offices to obtain the transcribed data, as appropriate. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of August 2020, IRS disagrees with this recommendation and does not plan to take action on it. IRS officials said that implementing this recommendation would require identifying the costs and benefits, which they do not plan to take action on. However, IRS officials acknowledged that IRS operating divisions and offices make strategic decisions regarding how best to use TCJA-related return data for compliance and enforcement purposes. We believe that converting data in instances where the benefits outweigh the costs would better position IRS to more effectively and efficiently pursue its mission of ensuring taxpayer compliance. For example, in the case of one TJCA provision, because IRS is not collecting information in an easily accessible format, IRS staff are manually reviewing forms to help with compliance efforts.

Recommendation: The Assistant Secretary of Tax Policy should update Treasury's internal guidance to ensure that Treasury's regulatory impact analyses include examination of the distributional effects of revenue changes when regulations influence tax liability. (Recommendation 5)

Agency: Department of the Treasury: Office of the Assistant Secretary of the Treasury (Tax Policy)
Status: Open

Comments: As of August 2020, Treasury disagrees with this recommendation and does not plan to take action on it. Treasury officials said the analyses underlying Treasury's tax regulations have fully complied with the Memorandum of Agreement established with the U.S. Office of Management and Budget (OMB), which focuses on non-revenue effects. We maintain that decisions Treasury and IRS made when developing regulations to implement TCJA could potentially impact tax liability by billions of dollars per year; however, Treasury's internal guidance dictates that these revenue effects should not be included in its economic analyses of the regulations. In some regulations, Treasury has addressed revenue effects in its analyses, but this has not been done consistently. By adjusting its internal guidance to ensure that distributional effects of revenue changes are consistently reflected in its analyses, it would better inform the regulatory decision-making process, while also providing the public with greater transparency.

Recommendation: The Secretary of Agriculture should direct Departmental Administration to work with the mission areas to develop department-level outcome-oriented performance goals and related measures for the business centers, and use them to assess the effectiveness and impact of the business center reforms. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In January 2020, USDA officials agreed with our recommendation and stated that the department is evaluating options for the development of performance metrics and inclusion of these metrics and related information as part of the regular and recurring reviews by the department's Deputy Secretary who is identified as the Chief Operating Officer.

Recommendation: The CISA Director should ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. Specifically, in March 2020 CISA finalized its operations plan for the 2020 elections. CISA's operations plan addresses one of the 13 objectives and key actions from the strategic plan -- monitor threat activity. While CISA's operations plan is to supplement the agency's strategy, the plan does not fully address any of the four lines of effort and the other 12 objectives outlined in the strategic plan. When examining the key actions for the remaining 12 objectives in the strategic plan, we were only able to confirm that 10 of the 27 key actions called for in those strategic plan objectives were fully addressed. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The CISA Director should document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency's 2020 planning. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: The agency agreed with the recommendation and has taken steps towards implementing it. We reported in February 2020 that CISA's strategic plan had only addressed three challenges from its external lessons learned review. Subsequently, CISA addressed two additional challenges in its operations plan, which was finalized in March 2020, and its election infrastructure subsector specific plan, which was updated in March 2020. CISA's plans addressed challenges regarding the agency's role in sharing and collecting intelligence across the election community and facilitating industry-wide vulnerability disclosures. However, CISA has not documented how the agency intends to address other identified challenges and how it will incorporate remedial actions into the agency's 2020 planning. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Homeland Security should develop a strategy to independently validate selected agencies' self-reported actions on meeting binding operational directive requirements, where feasible, using a risk-based approach. (Recommendation 2)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: DHS has drafted a preliminary strategy to independently validate agencies' actions, using a risk-based approach. However, this strategy has not yet been finalized and needs to more clearly align to the existing directive development process, to which it serves as an addendum. The strategy should include when and how primary and secondary sources of information for independent validation are selected within the directive development process.

Recommendation: The Secretary of Homeland Security should develop a schedule and plan for completing the high value asset program reassessment and addressing the outstanding issues on completing the required high value asset assessments, identifying needed resources, and finalizing guidance for Tier 2 and 3 HVA systems. (Recommendation 4)

Agency: Department of Homeland Security: Office of the Secretary
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Health should take steps to improve communication to VAMC staff (including HIV lead clinicians) about the availability of data on the time frames in which test results are communicated to veterans. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary for Health should disseminate data to HIV lead clinicians on the extent to which veterans who test positive for HIV are linked to care within recommended time frames. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Director of OCWR, in collaboration with relevant managers, should establish a policy that requires a schedule of tasks to be developed, documented, and updated throughout the lifetime of IT system projects. (Recommendation 1)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: The agency agreed with the recommendation. OCWR officials stated that they will be implementing a policy to ensure that project planning steps, including a schedule of tasks, will be included and documented for future IT projects.

Recommendation: The Executive Director of OCWR should identify and assess risks in establishing and maintaining a permanent records retention program, and develop policies and procedures to ensure that risks are properly addressed. (Recommendation 2)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: The agency agreed with the recommendation. OCWR officials stated that they have hired a contractor to assist with various risk management activities related to OCWR's permanent records retention program, including identifying and assessing risks and developing policies and procedures to address any risks.

Recommendation: The Executive Director of OCWR should identify desired performance results, develop performance measures that demonstrate the degree to which the desired results were achieved, and report progress toward those results in OCWR's annual reports. (Recommendation 3)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: The agency agreed with the recommendation. OCWR officials stated that they are reassessing desired performance results, developing new performance measures to monitor progress towards those results, and will clearly report OCWR's progress in future annual reports.

Recommendation: The Executive Director of OCWR should collect relevant data through a survey or other mechanisms, and use the information to evaluate the effectiveness of education and outreach efforts and the extent to which they are reaching all covered legislative branch populations. (Recommendation 4)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: The agency agreed with the recommendation. According to OCWR officials, they are working with congressional oversight committees and covered legislative branch offices to obtain data through surveys or other methods that will enable them to evaluate the effectiveness and coverage of OCWR's education and outreach efforts.

Recommendation: The Executive Director of OCWR should integrate IT planning and implementation into the agency's strategic planning process. (Recommendation 5)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: The agency agreed with the recommendation. OCWR officials stated that they intend to revise the agency's strategic plan, including integrating IT planning and implementation into the strategic planning process, after they gain more experience with the new procedures required by the Congressional Accountability Act (CAA) Reform Act of 2018.

Recommendation: The Executive Director of OCWR should incorporate key strategic human capital management practices, such as developing strategies to recruit and retain staff with mission-critical skills, into the strategic planning process. (Recommendation 6)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: The agency agreed with the recommendation. OCWR officials reported that they hired a contractor to better incorporate key management practices, such as developing strategies for recruiting and retaining staff with mission-critical skills, into OCWR's human capital plan and strategic planning process.

Recommendation: The Director of OMB should establish a process for monitoring and holding agencies accountable for authorizing cloud services through FedRAMP. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget: Office of the Director
Status: Open
Priority recommendation

Comments: OMB neither agreed nor disagreed with this recommendation and as of September 2020, the office has not provided information on its actions to implement our recommendation. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies' compliance with using the program. According to an OMB Associate General Counsel, the agency does not have a mechanism for enforcing agencies' compliance with its guidance on FedRAMP. However, we believe that OMB can and should hold agencies accountable for complying with its policies. By implementing this recommendation, OMB could substantially improve participation in the FedRAMP program, which is intended to standardize security requirements for federal agencies' authorizations of cloud services. We will update the status of this recommendation when OMB provides information on its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. (Recommendation 2)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should direct the Director of FedRAMP to improve the program's continuous monitoring process by allowing more automated capabilities, including for agencies to review documentation. (Recommendation 3)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update security plans for selected systems to include the description of security controls and reviews and approvals plan. (Recommendation 4)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 5)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should update the list of corrective actions for selected systems to identify the responsible office and estimated funding required and anticipated source of funding. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Administrator of GSA should develop guidance requiring that cloud service authorization letters be provided to the FedRAMP program management office. (Recommendation 7)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of September 2020, GSA has not provided evidence to close this recommendation. We will continue to monitor the agency's progress and update the recommendation's status when GSA provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security plan for the selected system to identify the authorization boundary, the system operational environment and connections, a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 8)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 9)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of CDC to update the list of corrective actions for the selected system to identify the specific weaknesses, funding source, changes to milestones and completion dates, identified source of weaknesses, and status of corrective actions. (Recommendation 10)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, CDC stated it has taken actions to address our recommendations, but we have not received evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status once CDC provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the system security plans for selected systems to identify a description of security controls. (Recommendation 11)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the security assessment report for selected system to identify the summarized results of control effectiveness tests. (Recommendation 12)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to update and document the CMS remedial action plan for the selected system to identify the anticipated source of funding. (Recommendation 13)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Administrator of CMS to prepare letters authorizing the use of cloud services for the selected systems and submit the letters to the FedRAMP program management office. (Recommendation 14)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, HHS stated CMS took actions to close this recommendation, but CMS has not yet provided evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when CMS provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update security plans for selected systems to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. (Recommendation 15)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the security assessment report for selected systems to identify summarized results of control effectiveness tests. (Recommendation 16)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to update the NIH list of corrective actions for selected systems to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. (Recommendation 17)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Secretary of HHS should direct the Director of NIH to submit the division's letters authorizing the use of cloud services for the selected systems to the FedRAMP program management office. (Recommendation 18)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open

Comments: In June 2020, NIH stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. NIH stated it will provide an update in December 2020. We will continue to monitor the agency's progress and update the recommendation's status when NIH provides its corrective actions.

Recommendation: The Administrator of EPA should update security plan for the selected operational system to identify a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking actions to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should update the list of corrective actions for the selected operational system to identify the specific weakness, estimated funding and anticipated source of funding, key remediation milestones with completion dates, changes to milestones and completion dates, and source of the weaknesses. (Recommendation 21)

Agency: Environmental Protection Agency
Status: Open

Comments: In June 2020, EPA stated it is taking action to address this recommendation, but the agency did not provide evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should prepare the letter authorizing the use of cloud service for the selected operational system and submit the letter to the FedRAMP program management office. (Recommendation 22)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any evidence of its corrective actions. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Administrator of EPA should develop guidance requiring that cloud service authorization letter be provided to the FedRAMP program management office. (Recommendation 23)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA did not concur with this recommendation and as of September 2020, the agency has not provided any additional evidence. We will continue to monitor the agency's progress and update the recommendation's status when EPA provides its corrective actions.

Recommendation: The Secretary of Defense should ensure that the Director of the Defense Finance and Accounting Service provides customers with more complete information on the agency's rate-setting methodologies in rate documentation, briefings, and other forums where rates are discussed, including the costs included in rates, how those costs are calculated, and how changes in DFAS's workload affect customers' overall costs. (Recommendation 1)

Agency: Department of Defense: Defense Finance and Accounting Service
Status: Open

Comments: The Department of Defense (DOD) concurred with GAO's recommendation and stated that the Defense Finance and Accounting Service (DFAS) provides detailed cost and rate information to customers each year in multiple venues and would reach out to customers to obtain additional details to understand how to fill the information gap regarding rate transparency. In April 2020, DOD provided to GAO DFAS's corrective action plan, which stated that DFAS Client Executives would ask the Army, Navy, and Marine Corps lead Financial Managers for feedback on additional details needed to better plan for the DFAS bill. DFAS would then incorporate this additional detail into the customer bill briefings for the President's Budget Request for fiscal year 2022. DFAS also stated that the Air Force had indicated that DFAS provides appropriate transparency, but had requested that DFAS provide its bill estimate earlier, which DFAS had agreed to do.

Recommendation: The Secretary of Defense should ensure that the Director of the Defense Information Systems Agency provides customers with more complete information on the agency's rate-setting methodologies in rate documentation, briefings, and other forums where rates are discussed, including the costs included in rates, how those costs are calculated, and how changes in DISA's workload affect customers' overall costs. (Recommendation 2)

Agency: Department of Defense: Defense Information Systems Agency
Status: Open

Comments: The Department of Defense (DOD) concurred with GAO's recommendation and stated that the Defense Information Systems Agency (DISA) will make every effort to improve dialogue with customers to ensure the correct people have a full understanding of DISA's methodologies used to develop their rates. In April 2020, DOD provided to GAO DISA's corrective action plan, which stated that DISA would continue to make every effort to improve dialogue with customers to ensure an increased understanding of methodologies used to develop the rates. In this plan, DISA reported that, in February and March 2020, its Chief Financial Officer (CFO) coordinated with the communications and financial management senior leadership for the military services to discuss Defense Working Capital Fund (DWCF) rate methodology and transparency. In May 2020, DOD provided an updated status on this recommendation, stating that a result of the DISA CFO outreach was that DISA would use the regular and recurring DISA Drumbeat engagements with the military departments to present and maintain an open and transparent dialogue on DISA DWCF rates. GAO requested documentation for the recent Navy and Air Force Drumbeat meetings and the pending Army meeting, as well as recent rate briefings that document that DISA is providing this more complete rate-setting information to its customers. GAO will update the status of this recommendation once this documentation is received.

Recommendation: The Secretary of Defense should ensure that the Director of the Defense Logistics Agency provides customers with more complete information on the agency's rate-setting methodologies in rate documentation, briefings, and other forums where rates are discussed, including the costs included in its rates, how it calculates those costs, and how and when proposed changes to its rate-setting methodologies will affect customers' overall costs. (Recommendation 3)

Agency: Department of Defense: Defense Logistics Agency
Status: Open

Comments: The Department of Defense (DOD) concurred with GAO's recommendation and stated that the Defense Logistics Agency (DLA) would include more detailed information in its annual rate briefing to the Office of the Under Secretary of Defense (Comptroller) and the services regarding what is in its costs, how it calculates costs, and how and when changes would impact customers' overall costs. In addition, DLA stated that it conducts semiannual Cost Summits and periodic DLA/Service Days with customers. DLA said it would include discussions, as appropriate, of topics such as potential pricing methodology changes and estimated cost impacts to customers, well in advance of implementation. In March 2020, DLA notified GAO that it had discussed cost rates with the military services during the January 2020 DLA Cost Summit and the Service Days with each of the military services that it held in June and November 2019. GAO requested documentation for these five meetings that includes the more complete information on DLA's rate-setting methodologies that GAO identified in the recommendation. GAO will update the status of this recommendation once this documentation is received.

Recommendation: The Secretary of Agriculture should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: In July 2020, the department reported actions it had taken to fully implement the activities associated with assessing competencies and needs regularly; assessing gaps in competencies and staffing; monitoring the agency's progress in addressing competency and staffing gaps; and reporting to agency leadership on progress in addressing competency and staffing gaps. The department also reported actions it had taken to address the remaining four activities and provided estimated time frames for fully implementing them. As of August 2020, we were following up with the department to obtain supporting documentation for the activities it claimed it had fully implemented and status updates for the remaining activities.

Recommendation: The Secretary of Homeland Security should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 6)

Agency: Department of the Interior
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 7)

Agency: Department of Justice
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 8)

Agency: Department of Labor
Status: Open

Comments: In December 2019, Labor officials provided additional documentation on actions taken to address the recommendation. We plan to review the documentation, and when we confirm what actions the agency has taken, we will provide updated information.

Recommendation: The Secretary of State should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 9)

Agency: Department of State
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the General Services Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 12)

Agency: General Services Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 13)

Agency: National Science Foundation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 14)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. (Recommendation 15)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: In December 2019, OPM stated that it had partnered with the General Services Administration's IT Modernization Center of Excellence to assess the current state of its IT workforce planning activities, but had not yet implemented any of the eight key planning activities we recommended. We will continue to monitor OPM's efforts to implement the recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 16)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the Social Security Administration should ensure that the agency fully implements each of the five key IT workforce planning activities it did not fully implement. (Recommendation 17)

Agency: Social Security Administration
Status: Open

Comments: In November 2019, Social Security Administration officials provided the agency's recently issued IT workforce strategy for fiscal year 2019 to fiscal year 2022. We plan to review the strategy, and when we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the U.S. Agency for International Development should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement. (Recommendation 18)

Agency: United States Agency for International Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary of Defense for Acquisition and Sustainment should ensure that the Air Force's finalized Space C2 program's acquisition strategy includes, at a minimum, the following elements:

• acquisition and contracting approach;
• program management structure, including authorities and oversight responsibilities;
• plans for platform and infrastructure development;
• requirements management and development approach, and plans for prioritization;
• risk management plans, including how the program will identify and mitigate risks;
• metrics for measuring quality of software, and how those results will be shared with external stakeholders;
• manpower assessment identifying program workforce needs and state of expertise in Agile methods;
• requirements for reporting program progress to decision makers; and
• yearly funding levels. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with the recommendation and stated that the Under Secretary of Defense for Acquisition and Sustainment directed the Air Force (this work has now been moved to the Space Force) to provide an Acquisition Strategy for approval in November 2019. DOD noted that a strategy template provided to the Air Force included the elements identified by GAO. As of July 2020, the Acquisition Strategy had been submitted to the office of the Under Secretary of Defense for Acquisition and Sustainment, but officials stated that the strategy is still in review and has not yet been finalized.

Recommendation: The Under Secretary of Defense for Acquisition and Sustainment should ensure that the Air Force's Space C2 program conducts periodic independent reviews to assess the program's approach to developing software and provide, as needed, advice to the program and recommendations for improving the program's development and progress. Participants could include, but are not limited to, officials from the Defense Innovation Board, the Defense Digital Service, the office of the Air Force Chief Software Advisor, and the Under Secretary of Defense for Acquisition and Sustainment's Special Assistant for Software Acquisition. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation and stated that the Under Secretary of Defense for Acquisition and Sustainment will assess the need for future periodic and independent reviews of the program. As of July 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment stated that it had planned to direct an independent review of the program to be conducted by a Federally Funded Research and Development Center and to be completed by September 2020. However, lack of funding and restrictions related to COVID-19 impacted planning. The office still plans to direct this review, but details are pending.

Recommendation: The Administrator of CMS should expand its review of states' implementation of the provider screening and enrollment requirements to include states that have not made use of CMS's optional consultations. Similar to CMS's contractor site visits, such reviews should include any necessary steps to address areas of noncompliance for all types of enrolled providers, including those under contract with managed care organizations. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: CMS concurred with our recommendation. In February 2020, CMS told us that it plans to reach out to states that have not yet participated in its optional consultations to discuss their progress towards implementing provider screening and enrollment requirements, and outline steps that the states should take to come into full compliance with them. In order to fully address this recommendation CMS would need to review all states' implementation of the provider screening and enrollment requirements, including states that have not made use of CMS's optional consultations. As such, this recommendation remains open until CMS provides evidence that it has assessed the compliance of all states; we will continue to monitor CMS's progress.

Recommendation: The Administrator of CMS should annually monitor progress toward addressing any areas of noncompliance related to the provider screening and enrollment requirements for any state with one or more corrective action plans. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: As of February 2020, HHS officials have not informed us of any actions taken to implement this recommendation. We will update the status of this recommendation when we receive additional information

Recommendation: The Secretary of the VA should direct the Under Secretary for Health to collect complete staffing data for the Family Caregiver Program that includes Caregiver Support Program Office funded staff, VAMC funded staff, and staff that assist the program as a collateral duty at each VAMC. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation. The Veterans Health Administration (VHA) has reported that the Caregiver Support Program Office had identified a solution for identifying VHA Family Caregiver Program staff in the Human Resource (HR) Smart system. VHA reported that current full- and part-time employees funded by the Caregiver Support Program Office will be identified with a specific specialty code in HR Smart. However, as of April 2020, this capability was not yet available in HR Smart and staffing for the program continued to be manually updated and tracked. Further, the proposed use of HR Smart will still not result in complete information that the Caregiver Support Program Office can use to track all staff who support the program because according to VHA, staff that assist the program as a collateral duty and VAMC-funded staff who support the program will not be tracked through HR Smart. As of July 2020, this recommendation remains open pending further updates from VHA.

Recommendation: The Secretary of the VA should direct the Under Secretary for Health to establish a process to ensure that the Family Caregiver Program staffing data that are collected and reported to the Caregiver Support Program Office are accurate. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: VHA concurred with this recommendation. In February 2020, the Veterans Health Administration (VHA) reported that the Caregiver Support Program Office had identified a solution for identifying full-time VHA Family Caregiver Program staff in the Human Resource (HR) Smart system through the use of a specific specialty code. VHA reported that once implemented, the use of the HR SMART specialty code would provide more accurate information regarding staffing. In April 2020, VHA stated that were would also be a static field called "position skill type" that would track positions with a skill type category of caregiver and that Veterans Integrated Service Network (VISN) leads for the Family Caregiver Program would use this field to cross check the new specialty code and identify and correct any reporting inconsistencies. As of July 2020, this recommendation remains open pending further updates from VHA.

Recommendation: The Secretary of Defense should ensure the department implements the pilot program by releasing at least 20 percent of newly custom-developed code as open source software (OSS). (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter provided to GAO, the 20 percent software release target is unlikely achievable due to the nature of code that is custom developed by the department. However, the department is mandated by law to implement the open source software pilot program established by the Office of Management and Budget's memorandum M-16-21. Releasing at least 20 percent of newly custom-developed code is a requirement of this program. GAO will continue to follow-up on the status of the pilot program.

Recommendation: The Secretary of Defense should ensure the department identifies a measure to calculate the percentage of code released to gauge its progress on implementing the pilot program. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially agreed with this recommendation and as of July 2020 has not yet implemented it. According to a December 2019 department letter sent to GAO, the department intends to release updated guidance on the release of custom-developed code as open-source software and will include metrics. The department estimated that the updated policy will be completed in the 3rd quarter of fiscal year 2020. GAO will follow-up with the agency to obtain the status of the updated guidance.

Recommendation: The Secretary of Defense should direct DHA to ensure that MTFs' referral management center staff are trained to process and accurately document information in MHS Genesis about specialty care referrals, including the receipt of CLRs, the submission of referral results, and the closure of referrals. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct DHA to ensure that MHS Genesis is configured to produce reports that accurately reflect the use and outcomes of specialty care referrals. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: As of May 2020, the Bureau's program risk registers included a clear indication of the status of mitigation plans; however, the Bureau's portfolio risk register did not, without which there was not a clear indication of which portfolio risk mitigation plans had been approved by management. As of August 2020, the Bureau's portfolio risk register also included a clear indication of mitigation plan status. At that time, we reviewed the Bureau's program and portfolio risk registers to determine whether the Bureau had developed and obtained management approval of mitigation and contingency plans for all risks that required them. We found six risks that met the Bureau's requirements for a contingency plan but did not have an approved contingency plan in place. We notified the Bureau and asked them to ensure that approved mitigation and contingency plans were in place for all risks that required them. We will continue to monitor the Bureau's actions to implement this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In July 2020, the Bureau updated its decennial risk management plan and, in doing so, implemented this recommendation for six of the seven key attributes we identified. The missing attribute was monitoring plans: a description in each mitigation and contingency plan of how the agency will monitor the risk response-with performance measures and milestones, where appropriate-to help track whether the plan is working as intended. According to Bureau officials, rather than requiring this attribute, they instead noted it as a lesson learned for the 2030 Census and documented it in their knowledge management tool. In August 2020, we requested documentation of these actions. Once received, we will assess whether these actions suffice to close the recommendation.

Recommendation: The Administrator of the Centers for Medicare and Medicaid Services should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: HHS, on behalf of CMS, did not concur with this recommendation. In its February 2020 response to GAO, HHS stated that current NIST guidance to agencies was insufficient and that CMS would look forward to future guidance from NIST and OMB to help guide consideration of non-knowledge-based verification options. We continue to believe that our recommendation is valid because a variety of alternative methods to knowledge-based verification are available that CMS can consider to address the diverse population it serves. Further, NIST has agreed with our recommendation to develop additional guidance for agencies, and CMS may be able to use that guidance to identify a verification approach that does not really on knowledge-based techniques. We will continue to monitor the actions CMS may take to address the recommendation.

Recommendation: The Secretary of the Department of Veterans Affairs should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 6)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation. To fully implement this recommendation, VA needs to develop a plan with milestones to document the results of their evaluation of the alternatives the department stated it is interested in pursuing.

Recommendation: The Secretary of Commerce should direct the Director of the Census Bureau to direct the Census Bureau's Chief Information Officer (CIO) to take steps to ensure that identified corrective actions for cybersecurity weaknesses are implemented within prescribed time frames. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce agreed with our recommendation. It provided an action plan in August 2019. We will review the Bureau's progress in addressing this recommendation as part of our ongoing work on the 2020 Census.

Recommendation: The Secretary of Commerce should direct the Director of the Census Bureau to direct the Bureau's CIO to implement a formal process for tracking and executing appropriate corrective actions to remediate cybersecurity weaknesses identified by DHS, and expeditiously address the identified deficiencies. (Recommendation 2)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce agreed with our recommendation. In August 2019, the Bureau stated that it is developing a process for tracking and executing corrective actions identified by governing bodies and external entities. We will review the Bureau's progress in addressing this recommendation as part of our ongoing work on the 2020 Census.

Recommendation: The FEMA Administrator should ensure that the GMM program management office finalizes the organizational change management plan and time frames for implementing change management actions. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office updates the program schedule to address the leading practices for a reliable schedule identified in this report. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA Office of the Chief Information Officer (OCIO) defines sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA OCIO approves a security assessment plan before security assessment reviews are conducted. (Recommendation 6)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office follows DHS guidance on preparing corrective action plans for all security vulnerabilities. (Recommendation 7)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office fully tests all of its security controls for the system. (Recommendation 8)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The Director of the Office of Management and Budget should require agencies to explicitly report, at least on a quarterly basis, the savings and cost avoidance associated with cloud computing investments. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of May 2020, the Office of Management and Budget (OMB) has not yet taken any actions to implement our recommendation. We will continue to monitor OMB's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the CIO of Agriculture establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (Agriculture) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, Agriculture officials reported in April 2020 that the department had established an office to assist with cloud migration efforts and instituted a process that requires cloud migration efforts to submit cost data and report cloud savings in accordance with OMB guidance. Officials noted that the department would implement a mechanism within one year once OMB issues guidance related to tracking savings (OMB has not yet implemented guidance in this area). We will continue to monitor Agriculture's progress on these efforts.

Recommendation: The Secretary of Commerce should ensure that the CIO of Commerce establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. In October 2019, Commerce officials noted that the department would update its current procedures related to tracking savings and cost avoidances within one year once OMB issues guidance related to tracking cloud savings (OMB has not yet implemented guidance in this area). As of May 2020, the procedures have not yet been updated. We will continue to monitor Commerce's progress with these efforts.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (Defense) concurred with our recommendation and stated that the department planned to publish guidance in this area. Specifically, in April 2020, Defense officials reported that the department planned to publish guidance by July 2020 that required all department components to rationalize business and IT applications in alignment with the department's enterprise-wide process for conducting software application rationalization and the department's Cloud Strategy. We will continue to monitor Defense's progress on this effort.

Recommendation: The Secretary of Defense should ensure that the CIO of Defense establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: As of May 2020, the Department of Defense (Defense) has not yet taken any actions to implement our recommendation. We will continue to monitor Defense's progress in implementing this recommendation.

Recommendation: The Secretary of Education should ensure that the CIO of Education completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 8)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would complete an assessment of all IT investments for cloud services. In February 2020, Education officials reported that the department had taken action to update its guidance to include a requirement for assessing new and existing investments for cloud services. However, as of May 2020, based on our review of IT Dashboard data, Education has not yet completed an assessment of 23 investments for these services. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Education should ensure that the CIO of Education establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 9)

Agency: Department of Education
Status: Open

Comments: The Department of Education (Education) concurred with our recommendation and stated that the department would take action to address it. In May 2020, Education officials reported that the department had taken steps to identify a number of cloud investments with cost savings and avoidance data as a part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Education's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess new acquisitions for these services. (Recommendation 10)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language that addressed our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 11)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the department would update its IT budget guidance to address our recommendation. In February 2020, Energy officials provided a portion of a guidance document, but it did not include language on assessing investments for cloud services. In addition, as of May 2020, based on our review of data on the IT Dashboard, Energy has not yet completed an assessment of 107 investments for these services. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of Energy should ensure that the CIO of Energy establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 12)

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and stated that the CIO would establish a mechanism to address our recommendation. In February 2020, Energy officials reported that they had identified a number of cloud investments with cost savings as part of the integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Energy's progress with this effort.

Recommendation: The Secretary of the Department of Health and Human Services (HHS) should ensure that the CIO of HHS establishes guidance on assessing new and existing IT investments for suitability for cloud computing services, in accordance with OMB guidance. (Recommendation 13)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the Office of the CIO would revise its guidance by September 30, 2019 to address it. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 14)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would complete an assessment of all IT investments as part of its portfolio review for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the CIO of HHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 15)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and stated that the CIO would take action to track savings as part of its portfolio review process for fiscal year 2021. As of May 2020, we have not received a more recent update from HHS regarding its implementation of our recommendation. We will continue to monitor HHS's progress in implementing this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of the Department of Homeland Security (DHS) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 16)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was in the process of accessing its remaining systems to determine whether a cloud computing assessment should be completed but did not provide a date when this effort would be finished. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Homeland Security should ensure that the CIO of DHS establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 17)

Agency: Department of Homeland Security
Status: Open

Comments: The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department was taking steps to implement it. Specifically, in October 2019, DHS officials reported that the department was working on a plan to define the resources and processes needed to implement a mechanism to track savings that would be completed by October 2020. As of May 2020, we have not received a more recent update from DHS regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 18)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation, and stated that it would require components to assess all investments for cloud. However as of April 2020, based on our review of IT Dashboard data, Justice had not yet completed cloud assessments for 80 investments. We will continue to monitor Justice's progress with this effort.

Recommendation: The Attorney General of the United States should ensure that the CIO of Justice establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 19)

Agency: Department of Justice
Status: Open

Comments: The Department of Justice (Justice) concurred with our recommendation and stated that it would take action to address it. In December 2019, Justice officials reported that the department had taken steps to identify cloud investments and related savings data as part of an integrated data call required by OMB. However, the department still needs to establish a consistent and repeatable mechanism to track savings for all IT investments. We will continue to monitor Justice's progress in implementing this recommendation.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 20)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department was taking steps to integrate a process for assessing investments for cloud computing suitability into its budgeting process. Specifically, in February 2020, Labor officials reported that the department was updating its policy to reflect a Cloud First policy that will ensure that all department investment migrations to cloud services are Cloud smart but did not identify a time frame when the policy would be finalized. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 21)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that the department planned to undertake a full review of data center-based applications for cloud suitability. Specifically, in February 2020, Labor officials reported that the department had created an Engineering Review Board in October 2019 to review proposed IT investments to ensure compliance with the department's cloud architecture, but did not provide a time frame for when all assessments of investments would be completed. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the CIO of Labor establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 22)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (Labor) concurred with our recommendation and stated that it planned to develop a mechanism to track savings to implement this recommendation. Specifically, in February 2020, Labor officials reported that the department was implementing a tool called Cloudchekr for tracking costs associated with cloud services that would also track related savings and cost avoidances, but no timeframe was provided for when the tool would consistently capture all savings from these efforts. We will continue to monitor Labor's progress on these efforts.

Recommendation: The Secretary of State should ensure that the CIO of State establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 23)

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with our recommendation and stated that the department would develop a prototype tracking system ready for testing by the beginning of fiscal year 2020. As of May 2020, we have not received a more recent update from State regarding its implementation of our recommendation. We will continue to monitor State's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 24)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of the Treasury should ensure that the CIO of Treasury establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 25)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury (Treasury) has not yet taken any actions to implement our recommendation. As of May 2020, we have not received any update from the department regarding its implementation of our recommendation. We will continue to monitor Treasury's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes guidance on assessing new and existing IT investments for suitability for cloud computing services. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Transportation should ensure that the CIO of Transportation establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 28)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) concurred with our recommendation, but as of May 2020, has not yet taken any actions to implement it. We will continue to monitor Transportation's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of the Department of Veterans Affairs (VA) completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 29)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun an assessment process and expected to complete this effort by June 30, 2024. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the CIO of VA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 30)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and stated that the department would take action to address it. In February 2020, VA officials reported that the department had begun populating a financial management application with data to track overall IT spending and cost savings, but did not provide a timeframe for when a mechanism to track this data would be finalized. We will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Administrator of General Services should ensure that the CIO of the General Services Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 31)

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) concurred with our recommendation and stated that the agency planned to develop a process for collecting cost savings data. Specifically, in January 2020, GSA officials reported that the agency intended to develop and document a process for collecting cost and savings data for current and new investments using cloud services. Officials noted that the documentation would provide guidance as to what savings data would be required to be collected, how frequent the data would be reported, and the process for approval, but did not provide a timeframe for when the guidance would be finalized. In addition, officials reported that, once the new process was finalized, the agency would pilot the new process in order to test the approach and the collection of data. As of May 2020, the process has not been finalized. We will continue to monitor GSA's progress in implementing this recommendation.

Recommendation: The Administrator of the Small Business Administration should ensure that the CIO of the Small Business Administration establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 32)

Agency: Small Business Administration
Status: Open

Comments: The Small Business Administration (SBA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SBA officials reported that the agency had established a tool for monitoring the costs associated with the migration and deployment of cloud services. However, the documentation SBA provided did not indicate how cloud savings and cost avoidances would be isolated and reported. We will continue to monitor SBA's progress toward implementing this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of the Social Security Administration (SSA) updates the agency's guidance on assessing IT investments for suitability for cloud computing services to include a requirement to assess existing investments for these services. (Recommendation 33)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials provided a copy of the agency's updated guidance but the guidance did not include language that addressed our recommendation. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA completes an assessment of all IT investments for suitability for migration to a cloud computing service, in accordance with OMB guidance. (Recommendation 34)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency had completed an assessment of all investments for cloud services. However, our review of the agency's IT Dashboard data in November found that 24 investments remained to be reviewed. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the CIO of SSA establishes a consistent and repeatable mechanism to track savings and cost avoidances from the migration and deployment of cloud services. (Recommendation 35)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) concurred with our recommendation and reported that the agency would take action to address it. In November 2019, SSA officials reported that the agency was working toward implementing a tool that would track cloud savings and avoidances but did not provide a timeframe for when the tool would be finalized. As of May 2020, we have not received a more recent update from SSA regarding its implementation of our recommendation. We will continue to monitor the status of this recommendation.

Recommendation: As VA and IHS revise the MOU and related performance measures, the Secretary of Veterans Affairs should ensure these measures are consistent with the key attributes of successful performance measures, including having measurable targets. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should, in consultation with IHS and tribes, establish and distribute a written policy or guidance on how referrals from IHS and Tribal Health Program (THP) facilities to VA facilities for specialty care can be managed. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: As VA and IHS revise the MOU and related performance measures, the Director of IHS should ensure these measures are consistent with the key attributes of successful performance measures, including having measurable targets. (Recommendation 3)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure the department's guidance that addresses software development provides specific, required direction on when and how often to involve users so that such involvement is early and continues through the development of the software and related program components. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation and issued an interim Software Acquisition Pathway policy in January 2020 that addresses software development, including direction on user involvement. As of August 2020, this interim policy has not yet been finalized. According to DOD officials, a final policy is currently under development and is expected to be issued by the end of December 2020.

Recommendation: The Secretary of Defense should ensure the department's guidance that addresses software development provides specific, required direction on documenting and communicating user feedback to stakeholders during software system development. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. As of August 2020, DOD has issued an interim Software Acquisition Pathway that addresses software development, including direction on user involvement. According to DOD officials, this interim pathway is planned to be replaced by a final policy that is currently under development and is expected to be issued by the end of December 2020.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Agriculture should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate National Initiative for Cybersecurity Education (NICE) framework work role codes. (Recommendation 1)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture concurred with our recommendation and stated that it was identifying an internal team of subject-matter experts to collaborate with organizations across the department to review the assignment of the "000" code to positions and assist in determining the appropriate work role codes. As of April 2020, USDA expected to complete this activity by fall 2020. To fully implement this recommendation, USDA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Commerce should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 2)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce concurred with the recommendation, but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should complete the identification and coding of vacant positions in the department performing IT, cybersecurity, or cyber-related functions. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Defense should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 4)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense concurred with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. To fully implement this recommendation, DOD will need to provide evidence that it has assigned appropriate National Initiative for Cybersecurity Education framework work role codes to its positions in the 2210 Information Technology management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Health and Human Services should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 8)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. As of March 2020, HHS has made significant progress toward reviewing the assignment of work role codes to its positions in the 2210 IT management occupational series and ensuring that such positions are not coded with the "000" code. To fully implement this recommendation, HHS will need to provide evidence that it has assigned the appropriate NICE framework work role codes to all or nearly all of its remaining positions in the 2210 IT management occupational series. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Homeland Security should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 9)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security (DHS) concurred with our recommendation. DHS conducted an audit of its components' cybersecurity coding efforts in fiscal year 2018 and identified actions that components needed to take to complete the assignment of appropriate NICE framework work role codes and assess the accuracy of position descriptions; a second audit for fiscal year 2019 is underway, and the department expects to complete its coding efforts by December 2020. As of January 2020, DHS has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, DHS will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Housing and Urban Development should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 10)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development (HUD) agreed with this recommendation. In January 2020, HUD stated that it was in the process of reviewing its positions in the 2210 IT management occupational series and assigning appropriate work role codes. To fully implement this recommendation, HUD will need to correctly categorize the work roles and functions performed by IT and cyber-related personnel in order to be able to identify critical cybersecurity staffing needs.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of State should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 15)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with the recommendation. In January 2020, we confirmed that State had assigned National Initiative for Cybersecurity Education (NICE) framework work role codes to its positions in the 2210 IT management occupational series. However, the department has not yet provided sufficient evidence to demonstrate that it has completed its efforts to assess the accuracy of position descriptions. To fully implement this recommendation, State will need to provide evidence that it has assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Secretary of Treasury should take steps to review the assignment of the "000" code to any positions in the department in the 2210 IT management occupational series and assign the appropriate NICE framework work role codes. (Recommendation 17)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: Treasury partially concurred with the recommendation and stated that some positions may not align to work roles in the National Initiative for Cybersecurity Education's (NICE) cybersecurity workforce framework. Treasury stated that it planned to review and validate the work role codes of its IT, cybersecurity, or cyber-related positions by March 2019. However, as of February 2020 Treasury had not provided evidence that it has implemented our recommendation. Until it assigns work role codes that are consistent with the IT, cybersecurity, and cyber-related functions performed by these positions, Treasury will continue to have unreliable information about its cybersecurity workforce that the department will need to identify its workforce roles of critical need.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should complete the identification and coding of vacant positions in the agency performing IT, cybersecurity, or cyber-related functions. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency concurred with the recommendation but as of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the Environmental Protection Agency should take steps to review the assignment of the "000" code to any positions in the agency in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 20)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency concurred with the recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. As of January 2020, EPA has not yet provided sufficient evidence to demonstrate that it has implemented this recommendation. To fully implement this recommendation, EPA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should complete the identification and coding of vacant positions at NASA performing IT, cybersecurity, or cyber-related functions. (Recommendation 23)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration did not concur with the recommendation. As of January 2020, it had not yet provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: To complete the appropriate assignment of codes to their positions performing IT, cybersecurity, or cyber-related functions, in accordance with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015, the Administrator of the National Aeronautics and Space Administration should take steps to review the assignment of the "000" code to any positions at NASA in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. (Recommendation 24)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and stated that it would complete a review of the assignment of the "000" code to its positions in the 2210 IT management occupational series, assign the appropriate NICE framework work role codes, and assess the accuracy of position descriptions. In March 2020, NASA indicated that it expected to implement the recommendation by September 30, 2020. To fully implement this recommendation, NASA will need to provide evidence that it has assigned appropriate NICE framework work role codes to its positions in the 2210 IT management occupational series and assessed the accuracy of position descriptions.

Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to take additional actions to improve performance against unmet timeliness goals. This includes steps to improve performance of senior official misconduct investigations and military service reprisal intakes, and to resolve disagreement on notifications. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the DOD and military service Inspectors General had convened a working group to coordinate performance improvement on unmet timeliness goals. According to the IG, the working group's recommendations are being incorporated into uniform standards for reprisal investigations that are expected to be finalized in the second quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Air Force Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: The Air Force Inspector General concurred with this recommendation, and the DOD Officer of Inspector General stated in December 2019 that the Air Force Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Marine Corps Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Naval Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access to sensitive whistleblower information in the current case management system and associated document repository is limited to information that is necessary to accomplish assigned tasks. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to develop a plan to fully restrict case access in the future whistleblower enterprise case management system so that user access is limited to information necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 7)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the future whistleblower case management system would incorporate design limits providing for access to information only by personnel necessary to accomplish assigned tasks in accordance with organizational missions and business functions. According to the IG, the system is scheduled to deploy in the third quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should enhance its process for periodically reviewing whistleblower case management system and document repository user privileges by including steps to ensure that such privileges remain valid after system updates, as appropriate. (Recommendation 8)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Air Force Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 9)

Agency: Department of Defense
Status: Open

Comments: The Air Force Inspector General concurred with this recommendation, and stated in December 2019 that an update scheduled for the end of April 2020 would enhance access control measures in its existing applications. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Army Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 10)

Agency: Department of Defense
Status: Open

Comments: The Army Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Army Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Marine Corps Inspector General should develop a plan to ensure that its redesigned whistleblower case management application restricts user access to information based on what is needed to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 11)

Agency: Department of Defense
Status: Open

Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Naval Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 12)

Agency: Department of Defense
Status: Open

Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Program Director for Financial Integration should collect and document requirements to define project scope and meet project objectives. These requirements should be updated periodically throughout the life of the project. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of August 2020, NNSA provided a project plan for tasks to be completed for common financial reporting through 2021. However, NNSA has not developed requirements that define specific or detailed requirements for successful implementation of common financial reporting, such as the types of information that program managers need.

Recommendation: The Program Director for Financial Integration should develop a detailed project schedule. The detailed schedule should be documented as part of the annual report to Congress required in the National Defense Authorization Act for Fiscal Year 2017. (Recommendation 3)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of August 2020, NNSA established a detailed project schedule for the common financial reporting effort through fiscal year 2021. However, NNSA should communicate this detailed project schedule for the effort to Congress on an annual basis.

Recommendation: The Program Director for Financial Integration should develop a formal process to identify risks, document those risks, and plan how to minimize risk exposure. (Recommendation 6)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: In June 2020, NNSA developed a risk management plan for common financial reporting which established a framework for identifying and managing risks. GAO will continue to monitor NNSA's efforts to implement the plan, including how NNSA identifies and documents risks and mitigates risk exposure using its management plan.

Recommendation: The Program Director for Financial Integration should develop an approach to effectively engage with all project stakeholders that incorporates their expectations into project decisions. (Recommendation 7)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of September 2020, NNSA has continued to engage on a regular basis with its M&O contractors. However, similar efforts have not continued with stakeholders of the program offices.

Recommendation: The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: In November 2018, and in response to our draft report, DOD stated that it would analyze the Federal Procurement Data System- Next Generation data in an effort to identify why the miscoding of orders under multiple award contracts occurs, and use this information to advise the contracting community of actions to improve the reliability of the competition data. In July 2019, DOD officials stated they did not have an update regarding planned actions to address the recommendation. As of September 2020, DOD officials did not respond to our multiple requests for updates to this recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Associate Deputy Assistant Secretary for Acquisition to identify the reasons behind the high rate of miscoding for orders awarded under multiple award contracts and use this information to identify and take action to improve the reliability of the competition data entered into FPDS-NG. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open

Comments: In February 2019, HHS stated it was performing analysis and research to understand the reasons for the miscoding of orders. Once this analysis and research is completed, HHS reported it plans to work to address the root causes of the previously identified miscodings, so as to prevent future errors. In July 2019, HHS officials stated they did not have an update regarding planned actions to address the recommendation. As of September 2020, HHS officials did not respond to our multiple requests for updates to this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau identifies and implements changes to align census field supervisor screening, authorities, and information flows to allow greater use of the census field supervisor position to provide supervisory support to enumerators. (Recommendation 2)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: In its February 2019 action plan, the Bureau indicated having updated the Census Field Supervisor hiring assessment to include questions on supervisory experience, in line with draft documentation provided near the end of our engagement. The Bureau also indicated that, by June 2019, it would communicate as part of supervisor training increased supervisory responsibilities and the need to more actively work with enumerators in answering casework questions. In August 2020, the Bureau informed us that the Bureau would not be altering the information flows for 2020 operations to ensure that census field supervisors receive the same guidance and procedural updates that managers within the area census office receive. To fully implement this recommendation for future fieldwork, the Bureau's planned or other actions will also need to demonstrate how the census field supervisors will have the information they need to carry out their responsibilities to provide supervisory support to enumerators.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau enables area census offices to prepare targeted, mid-operation training or guidance as needed to address procedural changes or implementation issues encountered locally during Non-Response Follow-Up. (Recommendation 3)

Agency: Department of Commerce
Status: Open

Comments: In its February 2019 action plan, the Bureau indicated that it plans, by June 2019, to give area census offices (ACOs) the ability to distribute training and informational updates to their local workforces through the Operational Control System. As of January 2020, we are reviewing updated Bureau training documentation on planned mid-operation procedural changes. In April 2020, the Bureau informed us that ACOs would not be empowered during 2020 operations to deliver to their workforces standardized, mid-operation guidance that would be targeted to specific issues being observed locally in the field. Officials noted that they would revisit this issue after 2020 operations have concluded. To fully implement this recommendation for future fieldwork, the Bureau will need to demonstrate the ability of ACOs to identify procedural or other implementation issues encountered locally and develop some form of actionable guidance disseminated systematically to its workforce in near-real time.

Recommendation: The Director should update the enterprise governance policy to specify (1) the CIO's current role and responsibilities on the Executive Resources Board, to include developing and reviewing the IT budget formulation and execution; and (2) the Deputy CIO's role and responsibilities on the Enterprise Governance Council. (Recommendation 2)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a revised enterprise governance policy that outlines the CIO's and Deputy CIO's roles and responsibilities. We will continue to monitor the component's efforts to finalize this policy.

Recommendation: The Director should ensure that the Secret Service develops a charter for its Executive Resources Board that specifies the roles and responsibilities of all board members, including the CIO. (Recommendation 3)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: DHS concurred with this recommendation. In March 2020, Secret Service officials stated that the component had drafted a charter for its Executive Resources Board that specifies the roles and responsibilities of Board members, including the CIO. We will continue to monitor the component's efforts to finalize this charter.

Recommendation: The Director should ensure that the CIO includes product quality and post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring agile projects. (Recommendation 4)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that Secret Service acquisition directives require the component to conduct a Post Implementation Review of IT programs after such a program achieves Initial Operating Capability. However, it is unclear whether and how this requirement applies to agile projects, and if the Secret Service has included post-deployment user satisfaction metrics in the modular outcomes and target measures that the CIO sets for monitoring such projects. DHS's draft agile guidance strongly recommends that user satisfaction be assessed at the end of each production deployment, not just one time after Initial Operating Capability. Moreover, the Secret Service has not yet demonstrated that the CIO has included product quality in the modular outcomes and target measures that the CIO sets for monitoring agile projects. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO identifies all of the required knowledge and skills for the IT workforce. (Recommendation 5)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In 2018 and 2019, the Secret Service participated in the Department of Homeland Security's Strategic Workforce Planning initiative, during which the department identified critical competencies and target proficiency levels for various IT workforce roles across the department (e.g., systems analysis, network management). However, it is unclear whether the Secret Service's participation in this initiative included the identification of the required knowledge and skills for all of the roles within the component's IT workforce, or just certain roles. In addition, while the Secret Service also established a standard operating procedure document in December 2019 that, among other things, identified recommended training and certifications for each OCIO division (e.g., network management, cyber security), this procedure document did not identify the required knowledge and skills for the workforce roles within each of those OCIO divisions. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO regularly analyzes the IT workforce to identify its competency needs and any gaps it may have. (Recommendation 6)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component analyzed its IT workforce to identify its competency needs, as well as determined the projected staffing and competency gaps that it would have in fiscal year 2019. However, it has not yet provided supporting documentation of the analyses that the CIO conducted to determine these competency needs and projected competency gaps. We will continue to follow-up with the Secret Service for documentation of its efforts to implement this recommendation.

Recommendation: The Director should ensure that, after OCIO completes an analysis of the IT workforce to identify any competency and staffing gaps it may have, the Secret Service updates its recruiting and hiring strategies and plans to address those gaps, as necessary. (Recommendation 7)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component determined that it had a projected staffing gap for fiscal year 2019 of 35 staff within the 2210 occupational job series (i.e., IT management staff). The officials also said that they had identified projected competency gaps related to positions such as Cyber Intelligence Analyst and Intelligence Research Specialist. While the Secret Service has not yet provided documentation of the analyses it conducted to determine these gaps, the component provided documentation to demonstrate that it targeted its fiscal year 2019 recruiting events to focus on addressing IT staffing and competency gaps. For example, among other things, in fiscal year 2019 the component conducted outreach and recruiting events focused on defense, cyber, IT, and intelligence hiring, as well as conducted a targeted cyber security hiring campaign with a large online job search service. We will continue to follow-up with the Secret Service for documentation of the analyses the OCIO conducted to determine its IT staffing and competency gaps, in order to verify whether the 2019 recruiting events conducted were focused on addressing such gaps.

Recommendation: The Director should ensure that the Office of Human Resources (1) develops and tracks metrics to monitor the effectiveness of the Secret Service's recruitment activities for the IT workforce, including their effectiveness at addressing skill and staffing gaps; and (2) reports to component leadership on those metrics. (Recommendation 8)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that the component has conducted recruitment and outreach efforts focused on IT, cyber, and engineering careers, and monitors the effectiveness of these efforts. However, the Secret Service has not yet provided supporting documentation demonstrating that it has (1) developed and tracked metrics to monitor the effectiveness of these recruitment activities, including their effectiveness at addressing skill and staffing gaps within the IT workforce; and (2) reported to component leadership on those metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the Office of Human Resources and OCIO adjust their recruitment and hiring plans and activities, as necessary, after establishing and tracking metrics for assessing the effectiveness of these activities for the IT workforce. (Recommendation 9)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: The Secret Service has not yet demonstrated that it has established and tracked metrics for assessing the effectiveness of its recruitment and hiring plans and activities for the IT workforce. As such, the component is not yet able to demonstrate that its Office of Human Resources and OCIO have adjusted their recruitment and hiring plans and activities based on these metrics. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO (1) defines the required training for each IT workforce group, (2) determines the activities that OCIO will include in its IT workforce training and development program based on its available training budget, and (3) implements those activities. (Recommendation 10)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: In December 2019, the Secret Service established a standard operating procedure document that identifies, among other things, recommended training and certifications for each OCIO division (e.g., network management, cyber security). However, this procedure document does not identify required training for each of these divisions. In March 2020, Secret Service officials stated that OCIO supervisors issued individual development plans to their team members that identified training requirements for continued professional development. However, the Secret Service has not yet provided documentation of these training requirements, nor evidence to support that the planned professional development activities are based on the required training for each IT workforce group. Moreover, the officials stated that, in response to the Coronavirus Disease 2019 (COVID-19), training is suspended. As such, the component is not implementing IT workforce training activities at this time. The officials plan to continue staff training once it is reinstated. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO ensures that the IT workforce completes training specific to their positions (after defining the training required for each workforce group). (Recommendation 11)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: While Secret Service officials stated that the component's Office of Training establishes the required curriculum for Secret Service personnel, the component has not yet demonstrated that the CIO has defined the training required for each IT workforce group, as we previously recommended. As such, the component is also not able to demonstrate that it is ensuring that each IT workforce group completes the training specific to their positions, as we also recommended. We will continue to monitor the Secret Service's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO collects and assesses performance data (including qualitative or quantitative measures, as appropriate) to determine how the IT training program contributes to improved performance and results (once the training program is implemented). (Recommendation 12)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: Secret Service officials stated that they are assessing how IT training has contributed to improved performance and results by comparing IT course completion results to the results of related training exercises that the component conducts (for example, the Secret Service may compare the completion rates for an IT security awareness training course to the results of a related IT security awareness exercise that the component conducts). However, the Secret Service has not yet provided supporting documentation of these assessments. We will continue to monitor the component's efforts to implement this recommendation.

Recommendation: The Director should ensure that the CIO updates the performance plans for each occupational series within the IT workforce to include the relevant technical competencies, once identified, against which IT staff performance should be assessed. (Recommendation 13)

Agency: Department of Homeland Security: United States Secret Service
Status: Open

Comments: According to Secret Service officials, the component has implemented a performance management system that enables OCIO supervisors to update the individual performance plans of each IT workforce staff member to include the relevant technical competencies against which each staff member's performance is to be assessed. However, the Secret Service has not yet provided supporting documentation demonstrating that OCIO has updated the performance plans for each IT workforce staff member to include the relevant technical competencies. We will continue to monitor the component's efforts to address this recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet developed procedures that explicitly require that all transactions with an IT component be included in the expenditure reporting to the CIO. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 2)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided documentation regarding its IT budget procedures. However, DOE has not yet documented procedures for ensuring the CIO is included in budget decisions for all programs with IT resources, including those within NNSA and the national laboratories. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, DOE has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 4)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT governance board and budget procedures. However, DOE has not documented procedures by which the CIO is to work with program leadership in planning IT resources for all programs, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: The department has provided IT budget procedures. However, DOE has not documented procedures by which the CIO is to review and approve all major IT investments, including those within NNSA and the national laboratories. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not documented procedures for the CIO's review of IT resources that are to support major program objectives and significant increases and decreases in IT resources for department and component agency budget requests. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. The department has provided IT budget procedures. However, DOE has not developed procedures for documenting steps the CIO is to take to ensure that the IT portfolio includes appropriate estimates of all IT resources. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Energy should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Energy should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 9)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with our recommendation and is planning to take steps towards implementing it. Specifically, DOE plans to implement the Technology Business Management Framework by December 2021. Additionally, the department is coordinating internally to update its financial and procurement systems to better identify IT spending. DOE anticipates that its updates will allow the agency to compare actual IT spending against estimates in the portfolio. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that establish agency-wide policy for the level of detail with which planned expenditures for all transactions that include IT resources are to be reported to the CIO. (Recommendation 10)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 11)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources. (Recommendation 12)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 13)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 14)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Administrator of NNSA should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 15)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA agreed with this recommendation and plans to develop relevant policies and procedures by June 2020. We will continue to monitor the agency's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 16)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to include requirements for reporting expenditures that apply to all transactions with an IT component. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 17)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT investment planning policy to amplify the CIO's role in the planning and budgeting stages for all programs with IT resources. Also, HHS intends to document procedures for ensuring that all delegated authorities are carried out. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 18)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation. The department has provided charters that included the CIO as a member of department-level governance boards that inform IT decisions. However, HHS has not provided charters that include the CIO as a member of component-level IT governance boards. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 19)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. For example, HHS plans to develop an asset management policy and introduce a pilot program to manage inventories across the agency. However, the department has not developed policies and procedures that incorporate the processes by which the program leadership are planning the IT portfolio with the CIO for existing investments greater than or equal to $20 million annually and for investments delegated to components. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 20)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to update its IT investment planning policy to amplify the CIO's role in reviewing major investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 21)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with this recommendation and has taken steps towards implementing it. Specifically, HHS documented procedures that require the CIO to hold annual IT investment review meetings with components to review changes in IT resources. However, HHS has not documented procedures for the CIO's role in reviewing major program objectives. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 22)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to assess and update its existing policies and procedures to document the steps the CIO is to take to review the IT portfolio for appropriate estimates of all IT resources. We will continue to monitor the department's progress toward implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 23)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the department intends to develop an IT governance policy to define the accountability of the CIO over all IT projects and establish processes detailing quality reviews and the level of rigor that should be applied by its IT governance board. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 24)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and is planning to take steps to implement it. Specifically, the agency intends to update its IT acquisition program policy and related processes. HHS also plans to document standard operating procedures for agency wide dissemination to ensure the effectiveness and efficiency of IT investment governance through transparent and repeatable procedures. We will continue to monitor the agency's progress in implementing our recommendation.

Recommendation: The Secretary of Health and Human Services should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 25)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS agreed with the recommendation and are planning to take steps towards implementing it. Specifically, HHS established a working group and developed a roadmap for implementing the Technology Business Management Framework by fiscal year 2022. The agency anticipates that its strategy and approach will enable HHS to, among other things, link IT portfolio data, procurement system data, and financial system data. We will continue to monitor the department's progress towards implementing our recommendation.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 26)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources. (Recommendation 27)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should ensure that the Office of the CIO and other offices, as appropriate, develop and implement policies and procedures that document the CIO's role in reviewing IT resources that are to support major program objectives and significant increases and decreases in IT resources. (Recommendation 28)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 29)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: CMS agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Attorney General should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 31)

Agency: Department of Justice
Status: Open

Comments: The department agreed with the recommendation and has taken steps towards implementing it. Specifically, in October 2019, the DOJ CIO issued a memorandum requiring component CIOs to establish a process for providing IT investment information to the DOJ CIO. The component CIO's process is to either include the DOJ CIO as a member of component investment review boards or provide an alternative mechanism for obtaining the DOJ CIO's input on component IT investments. We will continue to monitor the department's progress in implementing our recommendation.

Recommendation: The FBI Director should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 34)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: FBI agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that establish department-wide policy for the level of detail of planned expenditure reporting to the CIO for all transactions that include IT resources. (Recommendation 35)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO in the planning and budgeting stages for all programs that are fully or partially supported with IT resources. (Recommendation 36)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that include the CIO as a member of governance boards that inform decisions regarding all IT resources, including component-level boards. (Recommendation 37)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the process for the CIO's review and approval of the major IT investments portion of the budget request. (Recommendation 38)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, address gaps in the department's FITARA plans by developing and implementing policies and procedures that document the steps the CIO is to take to ensure whether the IT portfolio includes appropriate estimates of all IT resources included in the budget request. (Recommendation 39)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the department CIO to establish, for any OMB common baseline requirements that are related to IT budgeting that have been delegated, a plan that specifies the requirement being delegated, demonstrates how the CIO intends to retain accountability for the requirement, and ensures through quality assurance processes that the delegated official will execute such responsibilities with the appropriate level of rigor. (Recommendation 40)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should direct the Office of the CIO and other offices, as appropriate, to take steps to ensure that the actions taken to comply with OMB's common baseline for implementing FITARA on individual investments are adequately documented. (Recommendation 41)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the Office of the CIO and other offices, as appropriate, establish quality assurance processes--such as data quality checks, reviews of estimation methods, linkages between the IT portfolio and procurement system data, and linkages between the IT portfolio and financial system data--for ensuring the annual IT budget is informed by complete and reliable information on anticipated government labor, contract, and other relevant IT expenditures. (Recommendation 42)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the department has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center and the Assistant Secretary for Community Planning and Development should develop written guidance for CPD's field offices to use when determining whether to make a referral to the Departmental Enforcement Center. (Recommendation 1)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center and the Assistant Secretary for Public and Indian Housing should develop written guidance for PIH's field offices to use when determining whether to make a referral to the Departmental Enforcement Center. (Recommendation 2)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center and the Assistant Secretary for Community Planning and Development should develop targets for the number of referrals that CPD should make to DEC that are based on program risk. (Recommendation 3)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center and the Assistant Secretary for Public and Indian Housing should develop targets for the number of referrals that PIH should make to DEC that are based on program risk. (Recommendation 4)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center should develop and implement performance measures that assess the outcomes, or desired results, of its enforcement activities. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center should develop and implement performance measures of its timeliness in completing oversight reviews. (Recommendation 6)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center should track the implementation of the recommendations that it makes to program offices as a result of its oversight reviews. (Recommendation 7)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Departmental Enforcement Center should develop controls to ensure that analysts consistently and reliably record dates related to referral activity, corrective action taken, and other key information used to determine DEC's impact. (Recommendation 8)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment assesses whether DLA Document Services' single manager role for printing and reproduction provides the best value to the government--as determined by quality, price, and delivery time and in light of DLA Document Services' transformation plan--and whether any additional efficiencies are possible, and use the results of that assessment to inform the revision of DOD Instruction 5330.03. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (DOD) concurred with GAO's October 2018 recommendation. By July 2019, DOD had completed a study of printing and reproduction services to determine the best value to the department. As of December 2019, according to a DOD official, the Office of the Under Secretary of Defense for Acquisition and Sustainment plans to develop steps toward achieving the best value to the government based on the study results, and update DOD Instruction 5330.03, which describes the mission, responsibilities, functions, and relationships of DLA Document Services by July 2020. Completion of these actions would allow DOD to determine if further efficiencies in its document services are possible.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment assesses whether DOD's current approach to obtaining print devices represents the best value to the government or whether other approaches, such as further consolidations under DLA Document Services as a proposed single manager for print device procurement, would be more cost effective. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (DOD) concurred with GAO's October 2018 recommendation. In July 2019, DOD had completed a study of printing and reproduction services to determine the best value to the department. As of December 2019, according to a DOD official, the Office of the Under Secretary of Defense for Acquisition and Sustainment plans to develop steps toward achieving the best value to the government based on the study results, and update DOD Instruction 5330.03, which describes the mission, responsibilities, functions, and relationships of DLA Document Services by July 2020. Completion of these actions would allow DOD to determine if further efficiencies in its document services are possible.

Recommendation: The Secretary of Defense should ensure that the DOD Chief Information Officer (CIO) implements controls, such as reporting procedures, to routinely monitor actions to reduce the number of print devices, consistent with department-wide goals for reducing the number of print devices that are included in the CIO's 2012 memorandum. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (DOD) concurred with GAO's October 2018 recommendation. As of December 2019, DOD had ongoing actions intended to address the recommendation. For example, according to a DOD official, the DOD Chief Information Officer (CIO) will collaborate with the Under Secretary of Defense for Acquisition and Sustainment to define the necessary responsibilities, policy, and procedures in the planned revision of DOD Instruction 5330.03, which describes the mission, responsibilities, functions, and relationships of DLA Document Services. DOD plans to update the instruction by July 2020. Implementing controls, such as clarifying responsibilities, policy, and procedures would better enable DOD to achieve department-wide goals for reducing print devices it established in the CIO's 2012 memorandum.

Recommendation: The Secretary of Defense should ensure that the DOD CIO assigns responsibility for implementing the CIO's 2012 memorandum on optimizing the use of employee information technology devices. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (DOD) concurred with GAO's October 2018 recommendation. As of December 2019, DOD had ongoing actions intended to address the recommendation. For example, according to a DOD official, the DOD Chief Information Officer (CIO) will collaborate with the Under Secretary of Defense for Acquisition and Sustainment to define the necessary responsibilities, policy, and procedures in the planned revision of DOD Instruction 5330.03, which describes the mission, responsibilities, functions, and relationships of DLA Document Services. DOD plans to update the instruction by July 2020. Implementing controls, such as clarifying responsibilities, policy, and procedures would better enable DOD to achieve department-wide goals for reducing print devices it established in the CIO's 2012 memorandum.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense (Comptroller), in consultation with the military services and DLA, evaluates options to report more accurate funding information and takes steps to improve the accuracy of its budgetary and financial information reporting on document services internally and to Congress, including making distinctions between printing and non-printing-related costs and information on device procurement and electronic content management. This information could be provided as part of DOD's annual Operation and Maintenance budget justification materials. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: The Department of Defense (DOD) partially concurred with this recommendation. As of July 2019, DOD had ongoing actions intended to address the recommendation. For example, according to DOD documentation, the offices of the Under Secretary of Defense for Acquisition and Sustainment and Under Secretary of Defense (Comptroller) planned to examine the Service-related definitions of printing and reproduction for potential process improvements. DOD anticipated completing this action by July 2020. Examining opportunities to improve the definitions of printing and reproduction services would better position DOD to report more accurate funding information for document services, as GAO recommended in October 2018

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report, dated June 24, 2019. The report demonstrated that IRS, in response to our recommendation, had ensured that the operational analysis for IMF fully addressed greater utilization of technology or consolidation of investments to better meet organizational goals. However, the operational analysis did not reflect IRS's progress to date in modernizing IMF and the associated challenges. As we reported, this omission is concerning given the risk exposure from the agency's continued use of the legacy assembly language code. In order to close the recommendation, IRS needs to update the operational analysis to reflect its progress modernizing IMF.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for TSS, it did not identify the metrics used to determine whether TSS supported customer processes or delivered the goods and services that it is intended to deliver. To close this recommendation, IRS will need to provide the detailed operational analysis for TSS incorporating these metrics. As of December 2019, IRS has not provided the full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided GAO its fiscal year (FY) 2018 Operational Analysis Results report. While the report included a summary of the FY 2018 operational analysis for the Telecommunications Systems and Support (TSS) investment , including planned and actual cost figures for FY2018, the report did not indicate whether the planned cost figure for FY2018 accounted for reimbursable costs and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for TSS, as well as documentation showing whether reimbursable costs and user fees are included in the planned cost figure. As of December 2019, IRS has not provided a full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for End User Systems and Services (EUSS) investment, including planned and actual cost figures for FY2018, it did not specify whether the planned cost figure accounted for multi-year funding and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for EUSS, as well as documentation showing whether multi-year funding and user fees are included in the planned cost figure. As of December 2019, IRS has not provided the full EUSS operational analysis to GAO. Upon receiving it, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019. While the plan addressed most of the activities associated with the preparing for risk management key practice, it did not identify risk constraints, risk assumptions, or risk tolerance for the MSSS investment. Upon receiving further information, we will review it to determine if IRS has fully addressed this recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has implemented the activities associated with the Analyze Risk key practice. Specifically, while the plan describes a risk analysis process in which risks are classified as high, medium, or low risk, neither the plan nor any of the other documents describes criteria for evaluating and quantifying risk likelihood and severity (impact) levels. Additionally, the Risk Management Plan does not indicate whether analysis of MSSS risks includes both inherent and residual risks. Upon receiving additional information indicating that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has established threshold values for MSSS risk categories or alternative courses of action for critical risks. Upon receiving additional information indicating that it has addressed these activities. we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframes and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has fully implemented all of the activities associated with the monitoring, reporting, and controlling key practice. Specifically, our review of the documents shows that IRS has not established threshold values for MSSS risk categories, and as a result is unable to compare the status of risks to acceptability thresholds to determine the need for implementing a risk mitigation plan. In addition, although the MSSS Risk Management Plan was updated in October 2019, its previous revision occurred in October 2017, indicating that IRS has not yet reviewed all aspects of the risk management program at least once a year. Upon receiving additional information that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it had initiated efforts to address workforce planning agency-wide. The agency stated that the Human Capital Office in coordination with the Information Technology organization prioritizes critical skills gaps to develop gap mitigation strategies, which are implemented through IT annual training plans and succession planning efforts. IRS also stated that the mitigation plans will be monitored in the current Project and Portfolio Management System and that the Human Capital and Information Technology organizations will monitor resource capacity, skills, assigned work effort, and staff availability. In addition, IRS stated that it would utilize special hiring authorities as a competency and staffing mitigation strategy. The agency noted that the special authorities are subject to the availability of resources and agency approval. Further, IRS stated that, due to the diversion of IT resources to the Tax Cuts and Jobs implementation, development of a plan for scaling and expansion of workforce planning efforts will commence after the opening of Filing Season 2020. IRS stated that, due to those constraints, it could not provide a date for fully implementing the recommendation. As of December 2019, IRS has not provided any updates indicating whether it has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Secretary of Commerce should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, identify strategies for mitigating any gaps identified, and report this information to Congress. (Recommendation 1)

Agency: Department of Commerce
Status: Open

Comments: Department of Commerce (Commerce) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams, and to identify strategies for mitigating any gaps identified. As of August 2020, Commerce had not provided sufficient evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: The Secretary of Energy should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: Department of Energy (DOE) officials concurred with our recommendation and planned to evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams using the National Initiative for Cybersecurity Education (NICE) certification mapping that is due for release in November 2018. DOE officials plan to develop criteria to identify personnel who are prepared to take certification exams and will perform a department-wide evaluation, after which they plan to report to Congress by a target date of September 30, 2019. As of August 2020, DOE had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.

Recommendation: The Secretary of the Interior should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 11)

Agency: Department of the Interior
Status: Open

Comments: Department of the Interior (Interior) concurred with our recommendation. Officials from the department stated they were developing a plan to assess the workforce's preparedness to complete and maintain certifications. Interior officials stated that they were planning to leverage its learning and performance management system for assessing the level of preparedness of cybersecurity personnel to take certification exams and planned to report to Congress by March 2021. As of August 2020, HUD had not provided evidence that it had implemented this recommendation. We will continue to monitor the situation.

Recommendation: The Administrator of the National Aeronautics and Space Administration should evaluate the level of preparedness for cybersecurity personnel not currently holding certifications to take certification exams and report this information to Congress. (Recommendation 16)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: National Aeronautics and Space Administration (NASA) did not concur with our recommendation and has not yet provided evidence that it has implemented the recommendation as of August 2020. We will continue to monitor the situation.

Recommendation: The Administrator of the Small Business Administration should conduct a baseline assessment of the department's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. As of August 2020, SBA had not provided evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: The Administrator of the Small Business Administration should submit a report of its baseline assessment of its existing cybersecurity workforce to the appropriate congressional committees of jurisdiction. (Recommendation 26)

Agency: Small Business Administration
Status: Open

Comments: Small Business Administration (SBA) officials concurred with our recommendation. SBA officials stated that they have made significant progress in the workforce assessment area, and have recently completed an assessment of the SBA's IT workforce and reported on existing skills gaps. SBA officials stated that they plan to execute against the IT workforce plan to include addressing requirements within the Federal Cybersecurity Workforce Assessment Act of 2015. As of August 2020, SBA had not provided evidence that it had implemented the recommendation. We will continue to monitor the situation.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to update the policy or guidance for MAIS business programs. Specifically, the update should include the following elements: (1) establishment of initial and current baseline cost and schedule estimates, (2) predetermined threshold cost and schedule estimates to identify the point when programs may be at high risk, and (3) quarterly and annual reports on the performance of programs to stakeholders. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: In January 2020, the Under Secretary of Defense for Acquisition and Sustainment issued an updated instruction on defense business systems requirements and acquisition, which included guidance on establishing baseline cost and schedule estimates and considering progress against the baselines at key decision points. However, the instruction does not make a distinction between initial and current baselines. Further, it did not include thresholds for cost and schedule variances or specify periodic reporting of program performance information to stakeholders. According to an official in the office of the Under Secretary of Defense for Acquisition and Sustainment, the office does not intend to add the elements of the recommendation related to thresholds and reporting. Specifically, according to the official, the office considers specifying predetermined threshold cost and schedule estimates and frequency for status reporting to be matters for implementation guidance issued by department components or determined by a program decision authority. However, until the department demonstrates that it has fully addressed the recommendation, it is limited in its ability to ensure that effective system acquisition management controls are implemented for each major business system investment and that stakeholders have the information needed to make informed decisions for managing and overseeing these investments. We will continue to monitor the department's implementation of the recommendation.

Recommendation: The Secretary of Defense should direct the Director of the Defense Health Agency to direct the program manager for the Defense Healthcare Management System Modernization program to: (1) finalize and approve its requirements management plan, (2) identify and document changes that should be made to plans and work products resulting from changes to the requirements baseline, and (3) quantify costs and benefits of risk mitigation within its program-level risk mitigation plans. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: As of November 2019, the Department of Defense had made progress addressing the intent of the recommendation related to requirements management; however, it needs to do more to improve DHMSM program risk management. Specifically, in March 2019, the DHMSM program manager approved a requirements management plan, which includes identifying and documenting changes that should be made to plans and work products resulting from changes to the baseline requirements. Specifically, it includes forward and backward configuration and change management of the baselined requirements and managing traceability of requirements to design artifacts, test cases, defects, and change requests. However, the program has not demonstrated that it quantifies costs and benefits of risk mitigation in its risk mitigation plans. Specifically, it did not demonstrate that it had updated its guidance to require that costs and benefits of risk mitigation plans be included in these plans. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA did not concur with this recommendation. As of October 2019, the agency reported that the Office of the Chief Information Officer was beginning its involvement with the agency's Mission Support Architecture Program which aims at re-aligning mission support functions from a decentralized model to an enterprise model. The office's participation in the re-alignment effort has an estimated completion date in fiscal year 2023.

Recommendation: The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. In February 2020, NASA reported that the agency remained committed to taking action to address this recommendation and reported that the Office of the Chief Information Officer had established a process to govern IT investment funds and had planned additional modifications for that framework. The agency now expects to complete actions to address this recommendation by November 2020.

Recommendation: The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria. In April 2019, NASA provided copies of its updated guidance. Among other things, the guidance described criteria for the portfolio and defined policies and procedures for creating the portfolio. As of April 2020, the agency had not yet provided evidence that it had developed policies and procedures for evaluating the portfolio. We plan to continue following up on the status of efforts to address this recommendation.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. As of September 2020, NASA reported that it intends to deliver a cybersecurity risk management strategy that addresses the elements outlined in this recommendation by 2021.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of September 2020, NASA reported that the Chief Information Officer had initiated a review of the agency's cyber policy management framework and that any related updates were expected to be completed by 2021.

Recommendation: The Secretary of Defense should ensure that the DOD Chief Information Officer (CIO) develops an IT enterprise architecture which includes a transition plan that provides a road map for improving the department's IT and computing infrastructure, including for each of its business processes. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In October 2019, the DOD CIO developed a report on the first increment of version 3 of the department's information enterprise architecture (IEA). The report includes high-level descriptions of the current and target architectures, and high-level plans and schedules for transitioning from the current to the target architecture. The report states that because of the incremental approach to developing the architecture, the plans and schedules are notional and depend on several factors over which the DOD CIO has limited or no control, such as funding and changing world events, priorities, and technology. The report also describes plans to integrate the IEA with the department's business enterprise architecture. However, the report did not define a specific time frame for integrating the architectures. According to the report, for the next increment of the architecture, the department plans to develop compliance criteria and plans for developing an ontology, database, and tool suite. The department did not provide a time frame for completing the next increment. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: The Secretary of Defense should ensure that the DOD CIO and Chief Management Officer work together to define a specific time frame for when the department plans to integrate its business and IT architectures and ensure that the architectures are integrated. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: In October 2019, the DOD CIO developed a report on the first increment of version 3 of its information enterprise architecture (IEA). The report described planned efforts related to integrating the IEA and the business enterprise architecture. However, the report did not define a specific time frame for when the department plans to integrate the architectures.

Recommendation: The Secretary of Agriculture should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The agency concurred with our recommendation, and in June 2018, USDA CIO delegated the review and approval of acquisition plans and strategies to the Capital Planning and Information Technology Governance Division (CPITGD) through the Associate CIO of the Information Resource Management Center. However, as of June 2020, the agency had not provided evidence to demonstrate that these reviews and approvals are taking place as required by OMB's guidance. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that the office of the CAO is involved in the process to identify IT acquisitions. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that the CIO and the Senior Procurement Executive will issue a memo to their acquisition and CIO member offices clarifying the offices joint responsibilities to ensure that all IT acquisitions are submitted to the CIO for review and approval. The memo is also to provide guidance on the process by which the CIO will review proposed contract actions. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Commerce should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: In a March 2018 response to our report, the agency agreed with our recommendation and stated that it intended to clarify its policies and procedures to comply with OMB rules, including the IT acquisition checklist, which must be completed for every proposed contract action. In addition, the CIO and Senior Procurement Executive will work together to review existing acquisition plan review and approval processes. However, as of February 2020, the agency had not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of HHS should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with our recommendation and in an April 2018 update stated that HHS has a policy for the HHS IT acquisition review process for acquisition strategies. However, as of February 21, 2020, the agency had not provided evidence that the CIO (or designee) was reviewing and approving IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of State should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 22)

Agency: Department of State
Status: Open

Comments: The agency agreed with our recommendation, and in a December 2019 update provided information on the agency's CPIC process and a template for IT acquisition strategies. However, it is not clear whether the CIO is reviewing and approving IT acquisitions plans through the CPIC process and the template does not provide a place for the CIO review and approval. In addition, we have requested evidence of CIO approval of selected IT acquisitions. We will continue to monitor the implementation of this recommendation

Recommendation: The Secretary of the Treasury should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 23)

Agency: Department of the Treasury
Status: Open

Comments: The agency did not state whether it agreed or disagreed with the recommendation. In March 2019, Treasury issued a memo that requires the CIO to review and approve IT acquisition plans for acquisitions with a total value of $68 million or more, or for actions with a period of performance longer than 5 years. The review and approval of all other IT acquisition plans are delegated to the component CIOs or Chief Technology Officers. However, the agency had not yet provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of Transportation should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 26)

Agency: Department of Transportation
Status: Open

Comments: The agency concurred with the recommendation. In October 2019, Transportation issued guidance requiring that the CIO or designee to review and approve all IT acquisition plans. We have requested that the agency provide us evidence of CIO-approved IT acquisition plans. The agency stated that it planned to respond by May 15, 2020. We will continue to monitor the implementation of this recommendation.

Recommendation: The Secretary of VA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 28)

Agency: Department of Veterans Affairs
Status: Open

Comments: The agency concurred with the recommendation. In November 2019, VA issued guidance that requires the CIO, in conjunction with the Chief Acquisition Officer, to review and approve all IT acquisition strategies and plans. Specifically, the CIO is to review and approve IT acquisitions valued at $15 million or more. The CIO has delegated the review and approval of IT acquisitions less than $15 million to other designees, based on the value of the contract. However, the agency had not provided evidence that the CIO (or designee) was reviewing and approving selected IT acquisition plans, as required. We will continue to monitor the implementation of this recommendation.

Recommendation: The Administrator of NASA should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 32)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The agency concurred with the recommendation, and in September 2017, NASA's CIO delegated the review and approval authority of IT acquisitions to the Center CIOs. We have requested evidence of CIO-approved IT acquisitions. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of the Office of Personnel Management should ensure that IT acquisition plans or strategies are reviewed and approved according to OMB's guidance. (Recommendation 34)

Agency: Office of Personnel Management
Status: Open

Comments: The agency concurred with the recommendation and in an April 2020 updated stated that OPM has contracted with a third-party vendor to evaluate the OPM IT human capital, architecture, and governance processes from planning to acquisition to implementation. The agency further stated that it is working to fully implement an IT governance process where the OPM CIO fully reviews and approves IT acquisition plans and processes. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of OMB should continue to identify and report to Congress on the status of the top 10 high priority information technology programs and the extent to which USDS is involved in the programs, as was done in June 2015 and June 2016. In doing so, the Director should ensure that these reports are issued quarterly. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Director of OMB should ensure that the Federal CIO is directly involved in the oversight of high priority programs. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: OMB has not taken actions to address this recommendation, stating that the Federal CIO is not typically involved with overseeing individual IT programs. However, we continue to believe it is important for OMB to take this action, as the results of past CIO-led reviews of troubled programs show that CIO oversight can have significant positive results, including producing significant savings. In December 2019, OMB stated that it had no ongoing or planned action to address the recommendation, noting that the recommendation represents a "fundamental disagreement" between OMB and GAO on the role of the Federal CIO in overseeing programs.

Recommendation: The Director of OMB should continue to report on the status of USDS projects. In doing so, the Director should ensure that the reports are issued quarterly. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: We have been requesting periodic updates from OMB on actions it has taken to address the recommendation. As of April 2020, the agency did not have any updates.

Recommendation: The Secretary of Agriculture should ensure that the CIO of USDA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 9)

Agency: Department of Agriculture
Status: Open

Comments: In September 2019, a Department of Agriculture official stated that the department was working to establish a policy to include the information noted in our recommendation and planned to finalize a policy by the end of December 2019. We will continue to monitor the department's progress on these efforts.

Recommendation: The Secretary of Veterans Affairs (VA) should ensure that the CIO of VA updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 10)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) has taken action, and stated that it would draft a policy to address our recommendation. In November 2019, a VA official stated that the department is working to address our recommendation but did not identify timeframes for when all activities would be completed. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should ensure that the CIO of EPA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 11)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) concurred with our recommendation and stated that it planned to develop a policy to implement this recommendation and other FITARA issues. Specifically, EPA officials reported in July 2019 that the agency was continuing to work to address the recommendation but did not provided a time frame for when a policy would be finalized. We will continue to monitor EPA's progress on these efforts.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should ensure that the CIO of NASA establishes an agency-wide policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes: a description of the CIO's role in the certification process; a description of how CIO certification will be documented; and a definition of incremental development and time frames for delivering functionality, consistent with OMB guidance. (Recommendation 13)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation and reported that the agency was in the process of addressing it. Specifically, NASA officials reported in June 2020 that its guidance is currently being updated to include the information noted in our recommendation and will be finalized by September 2020. We will continue to monitor NASA's progress on these efforts.

Recommendation: The Director of the Office of Personnel Management (OPM) should ensure that the CIO of OPM updates the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of FITARA, and confirm that it includes a description of the CIO's role in the certification process and a description of how CIO certification will be documented. (Recommendation 16)

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with our recommendation and stated that it would update its policies and processes to include the elements we recommended. Specifically, OPM officials reported in November 2019 that guidance on CIO certification was being developed but the agency had not yet determined a time frame for finalizing the policy. We will continue to monitor OPM's progress on these efforts.

Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer completes efforts to identify future telecommunications needs and areas for optimization, identifies the costs and benefits of new technology, and aligns USDA's approach with its long-term plans. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture (USDA) concurred with our recommendation and stated that it plans to, among other things, provide the EIS vendor community with USDA's future vision and requirements in order to enable each vendor to propose optimal solutions; and update the cost benefit analysis of new technologies while reviewing vendor proposals. However, USDA has not yet provided documentation demonstrating that it has completed these efforts. We will continue to monitor USDA's progress on these efforts.

Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer identifies transition-related roles and responsibilities related to the management of assets, human capital, and information security, and legal expertise; develops a transition communications plan; and uses configuration and change-management processes in USDA's transition. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: As we recommended, the U.S. Department of Agriculture (USDA) identified transition roles and responsibilities related to the management of assets, human capital, and information security, and legal expertise. USDA also developed a communications plan and change management plan for the transition. However, the department has not yet demonstrated that it has implemented change management, nor that it is using configuration management for the transition. We will continue to monitor USDA's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer documents the costs and benefits of transition investments, identifies staff resources needed for the remainder of the transition, and analyzes training needs for staff assisting with the transition. (Recommendation 5)

Agency: Department of Agriculture
Status: Open

Comments: U.S. Department of Agriculture (USDA) officials stated that they are in the process of completing an Independent Government Cost Estimate for the transition. The officials also stated that the department is creating an EIS support organization that will address staffing needs for the transition. However, USDA has not yet provided documentation demonstrating that it has completed these efforts. We will continue to monitor USDA's progress in implementing this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the Department's Chief Information Officer demonstrates that the Department's transition goals and measures align with its mission, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in USDA's transition timeline. (Recommendation 6)

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture (USDA) concurred with our recommendation and stated that it plans to (1) incorporate mission-critical priorities into USDA's requests for quotes; (2) ensure that critical systems are inventoried and that their respective transition plans ensure continuity of operations; and (3) prioritize mission-critical functions within its transition timeline. However, USDA has not yet provided documentation demonstrating that it has completed these efforts. We will continue to monitor USDA's progress in implementing this recommendation.

Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer verifies the completeness of DOL's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 7)

Agency: Department of Labor
Status: Open

Comments: Department of Labor (DOL) officials stated that the agency is in the process of developing an inventory of its telecommunications assets and services that are associated with GSA's expiring contracts (e.g., Networx). The officials noted that, as part of the department's transition to EIS, DOL plans to include only limited non-GSA/commercial telecommunications assets and services in its initial transition efforts and inventory. The officials further stated that DOL will not focus on these non-GSA/commercial assets and services until the department completes its transition of assets and services associated with GSA's expiring contracts. We will continue to monitor the department's efforts to develop a complete telecommunications inventory, including assets and services associated with both GSA and non-GSA/commercial contracts, and associated maintenance processes for this inventory.

Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies the agency's future telecommunications needs, completes a strategic analysis of the agency's telecommunications requirements, and incorporates the requirements into transition planning. (Recommendation 8)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor (DOL) provided documentation demonstrating that it has identified certain future telecommunications needs for the department, but DOL did not identify these needs using a complete inventory of its current telecommunications assets and services. In addition, the department demonstrated that it had completed a draft strategic analysis of its telecommunications requirements, but this analysis was not yet finalized and approved. Further, the department has not yet demonstrated that it has aligned its identified telecommunications needs with its long-term plans and enterprise architecture. We will continue to monitor DOT's efforts to implement this recommendation.

Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies transition-related roles and responsibilities related to the management of assets, human capital, and information security, and legal expertise; develops a transition communications plan; and uses project, configuration, and change-management processes in DOL's transition (Recommendation 9)

Agency: Department of Labor
Status: Open

Comments: Department of Labor (DOL) officials stated that the department is in the process of selecting a project manager to develop the Transition Project Plan and other supporting documentation for the transition, including a communications plan. DOL expects to develop this documentation around March 2020. We will continue to monitor the department's progress on these efforts.

Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies the resources needed for the full transition, develops justifications for the costs of changes to hardware and software, identifies staff resources needed for the remainder of the transition, and analyzes training needs for staff assisting with the transition. (Recommendation 10)

Agency: Department of Labor
Status: Open

Comments: Department of Labor (DOL) officials stated that the department is in the process of selecting a project manager to develop the Transition Project Plan and other documentation that would address this recommendation. The officials expect to develop this documentation around March 2020. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Secretary of Labor should ensure that the Department's Chief Information Officer identifies transition risks related to information security, critical systems, and continuity of operations, and identifies mission-critical priorities in DOL's transition timeline. (Recommendation 11)

Agency: Department of Labor
Status: Open

Comments: Department of Labor (DOL) officials stated that the department is in the process of selecting a project manager to develop the Transition Project Plan and other documentation that would address this recommendation. The officials expect to develop this documentation around March 2020. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies the agency's future telecommunications needs, areas for optimization, and the costs and benefits of new technology; completes a strategic analysis of the commission's telecommunications requirements; and incorporates the identified requirements into transition planning. (Recommendation 12)

Agency: United States Securities and Exchange Commission
Status: Open

Comments: The Securities and Exchange Commission (SEC) concurred with our recommendation. SEC stated that it plans to establish an EIS planning team comprised of key IT personnel from across the agency to identify, among other things, future needs and areas for improvement, so that SEC can incorporate the results into its transition planning. However, SEC has not yet provided documentation demonstrating that it has completed these efforts. We will continue to monitor SEC's progress implementing this recommendation.

Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies roles and responsibilities related to the management of assets and human capital and legal expertise for the transition; includes key local and regional officials in SEC's transition communications plan; and completes efforts to use configuration and change management processes in the transition. (Recommendation 13)

Agency: United States Securities and Exchange Commission
Status: Open

Comments: The Securities and Exchange Commission (SEC) concurred with our recommendation and stated that it plans to document the roles and responsibilities of key EIS transition team members across the agency. The agency also plans to develop a transition communications plan that includes configuration and change management practices. However, SEC has not yet provided documentation demonstrating that it has completed these efforts. We will continue to monitor SEC's progress implementing this recommendation.

Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer identifies the resources needed for the full transition, justifies requests for transition resources, identifies staff resources needed for the full transition, and completes efforts to analyze training needs for staff assisting with the transition. (Recommendation 14)

Agency: United States Securities and Exchange Commission
Status: Open

Comments: In response to our recommendation, the Securities and Exchange Commission (SEC) provided a high-level budget estimate for the transition. However, it was unclear what costs were included in this estimate and the agency did not provide documentation that justified the costs identified. In addition, SEC has not yet provided an analysis of the staff resources it needs for the transition, nor an analysis of the training needs for the staff assisting with the transition. We will continue to monitor SEC's efforts to implement this recommendation.

Recommendation: The Chairman of the Securities and Exchange Commission should ensure that the Commission's Chief Information Officer completes efforts to demonstrate that the commission's transition goals and measures align with its mission, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in SEC's transition timeline. (Recommendation 15)

Agency: United States Securities and Exchange Commission
Status: Open

Comments: The Securities and Exchange Commission (SEC) has demonstrated that its transition goals and measures align with its mission. In addition, the commission has identified transition risks related to continuity of operations. However, SEC has not yet identified transition risks related to its critical systems, nor identified mission-critical priorities in its transition timeline. We will continue to monitor SEC's progress on these efforts.

Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer verifies the completeness of SSA's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory regarding services other than local and long-distance telecommunications. (Recommendation 16)

Agency: Social Security Administration
Status: Open

Comments: Social Security Administration (SSA) officials stated that the agency is in the process of making significant changes to its procedures and policy for its telecommunications inventory. The officials expect to have a complete inventory of their telecommunications assets and services by 2021. We will continue to monitor SSA's efforts to implement this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer completes identification of the agency's future telecommunications needs and aligns its approach with the agency's enterprise architecture. (Recommendation 17)

Agency: Social Security Administration
Status: Open

Comments: Social Security Administration (SSA) officials stated that the agency's priority is to transition its telecommunications services on a like-for-like basis, in order to complete the transition before its existing contracts expire, as well as to receive immediate cost savings. Officials also stated that, once SSA has released its EIS solicitations, they plan to analyze the alignment of their future telecommunications needs with the agency's enterprise architecture. However, SSA has not yet provided documentation demonstrating that it has completed this analysis. We will continue to monitor SSA's progress on these efforts.

Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer uses configuration and change-management processes in its transition. (Recommendation 18)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) provided documentation demonstrating that it has implemented a change management process, including establishing a change control board that is scheduled to meet on a weekly basis and tracking change requests in its IT Service Management tool. However, SSA has not yet demonstrated that it has implemented configuration management processes for its transition. We will continue to monitor SSA's efforts to implement these processes.

Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer identifies the resources needed for the full transition, documents the costs and benefits of transition investments, identifies staff resources needed for the remainder of the transition, and analyzes training needs for all staff working on the transition. (Recommendation 19)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) provided documentation demonstrating that it has identified the staff resources and required training for staff working on the transition. However, SSA has not yet provided documentation demonstrating that it has identified the funding resources needed for the full transition, nor documented the costs and benefits of transition investments, such as for resource requests related to transition program management staff. We will continue to monitor SSA's efforts to fully implement this recommendation.

Recommendation: The Commissioner of the Social Security Administration should ensure that the Administration's Chief Information Officer completes efforts to identify measures of success for the transition, identifies transition risks related to critical systems and continuity of operations, and identifies mission-critical priorities in SSA's transition timeline. (Recommendation 20)

Agency: Social Security Administration
Status: Open

Comments: The Social Security Administration (SSA) has identified transition risks related to critical systems and continuity of operations. In addition, SSA officials stated that the agency is in the process of identifying (1) agency-specific measures of success for the transition and (2) mission-critical priorities that need to be incorporated into its transition timeline. However, SSA has not yet provided documentation demonstrating that it has completed these efforts. We will continue to monitor SSA's efforts to fully implement this recommendation.

Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer verifies the completeness of DOT's inventory of current telecommunications assets and services and establishes a process for ongoing maintenance of the inventory. (Recommendation 21)

Agency: Department of Transportation
Status: Open

Comments: Department of Transportation (DOT) officials stated that the department has developed a comprehensive inventory of its telecommunications assets and services, and maintains this inventory on a regular basis. However, as of August 2020, the department has not yet provided documentation of its inventory or the associated maintenance processes. We will continue to monitor DOT's efforts to complete this inventory and establish a maintenance process for it.

Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer identifies the agency's future telecommunications needs, areas for optimization, and costs and benefits of new technology; and completes efforts to align DOT's approach with its long-term plans and enterprise architecture. (Recommendation 22)

Agency: Department of Transportation
Status: Open

Comments: Department of Transportation (DOT) officials stated that they conducted an assessment of the department's future telecommunication requirements. According to officials, the results of this analysis were included in an EIS Statement of Work. However, DOT has not demonstrated that it used its complete inventory of existing services to identify its future needs. DOT also stated that it has conducted extensive research to identify areas for optimization and sharing, but did not provide documentation of this research. Further, DOT has not provided evidence that the department has aligned its transition approach with its long-term plans and enterprise architecture. We will continue to follow-up with DOT regarding these efforts.

Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer identifies roles and responsibilities related to the management of assets and human capital and legal expertise for the transition; develops a transition communications plan; and fully uses configuration and change-management processes in DOT's transition. (Recommendation 23)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) developed a transition communications plan and identified roles and responsibilities related to legal expertise, the management of assets and human capital. DOT has also provided evidence that they are requiring the use of change management in the transition. However, DOT has not demonstrated that it is applying configuration management processes to DOT's transition efforts. We will continue to monitor DOT's efforts to implement this recommendation.

Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer fully identifies the resources needed for the full transition, justifies requests for transition resources, identifies staff resources needed for the full transition, and fully analyzes training needs for staff assisting with the transition. (Recommendation 24)

Agency: Department of Transportation
Status: Open

Comments: Department of Transportation (DOT) developed a transition resource plan that identifies functional roles needed for the transition, such as network engineers and staff to place new telecommunications orders. However, the transition resource plan did not identify the staffing levels needed for each of the functional roles, such as how many network engineers are necessary, and DOT did not provide other documentation that fully identifies these resources needs. In addition, DOT has not yet provided documentation that it has identified the funding needed for the full transition, justified requests for transition resources, or fully analyzed training needs for staff assisting with the transition. We will continue to follow-up on DOT's efforts to implement this recommendation.

Recommendation: The Secretary of Transportation should ensure that the Department's Chief Information Officer fully demonstrates that DOT's transition goals and measures align with its mission; completely identifies transition risks related to information security, critical systems, and continuity of operations; and fully identifies mission-critical priorities in the transition timeline. (Recommendation 25)

Agency: Department of Transportation
Status: Open

Comments: Department of Transportation (DOT) provided evidence that its transition goals and measures align with its mission and that it has identified the risks associated with the EIS transition. However, DOT has not yet provided documentation demonstrating that it has identified mission-critical priorities in its transition timeline. We will continue to monitor DOT's efforts to implement this recommendation.

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of January 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Further, HHS has not provided us with a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make the progress needed to establish an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019.

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of February 2020 agency officials have not indicated whether or not they concur with the recommendation, nor have they taken any action or provided a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make progress toward establishing an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and in the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019 .

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In HHS' Public Health and Social Services Emergency Fund's fiscal year 2021 budget justification-which includes the Office of the Assistant Secretary for Preparedness and Response-the agency stated it "concurred" with this recommendation. However, as of February 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Until then, HHS may continue to lack the necessary progress needed in order to establish an electronic public health situational awareness network capability mandated by PAHPRA. To address this recommendation, HHS needs to direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the Grants and Member Management (GMM) system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a commercial off-the-shelf (COTS) application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet defined requirements for the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the GMM system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a COTS application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet established a project schedule for completing the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the GMM system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a COTS application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet established a timeframe to define test plans for the selected solution for the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that state-based marketplace annual sustainability plans, to the extent possible, have complete 5-year budget forecasts. (Recommendation 1)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it had updated its requirement to request 2-year budget forecasts instead of 5-year budget forecasts. In its December 2017 statement of actions, HHS stated that it was working to streamline and simplify its data collection effort as part of the annual sustainability plan. In April 2018, HHS provided a revised 2-year budget forecast template as well as related state marketplace training documentation. As of April 2020, HHS had not provided further documented evidence of its streamlined process using the 2-year budget forecast template or justification that a 5-year budget is not necessary for assessing long-term financial sustainability and state marketplace sustainability risks.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that all state-based marketplaces provide required annual financial audit reports which are in accordance with generally accepted government auditing standards. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it continued to provide technical assistance such as webinars and other trainings on independent financial and programmatic audit submission requirements. In April 2018, HHS provided evidence that it had taken some steps to ensure that state-based marketplaces provide required annual financial audit reports, including draft financial audit procedures, documentation of related training provided to states, and a revised HHS state officer annual review checklist emphasizing financial audit reporting. However as of April 2020, the department had not provided evidence of finalized procedures, examples of checklist usage, or of states providing annual financial audit reports. Further, HHS training documentation stated that state-based marketplaces could provide alternate financial audit reports, such as a state-wide financial audit report, in lieu of a marketplace specific report. It is not clear from the provided evidence that the department has ensured that state-based marketplaces are in compliance with financial audit reporting requirements. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes further action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that marketplace IT self-sustainability risk assessments are based on fully defined measurable terms, a clear categorization process, and a defined response to high risks. (Recommendation 3)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with our recommendation and stated in its December 2017 update that it would refine its marketplace self-sustainability risk assessment process to provide greater insight into the state marketplace sustainability efforts and to identify areas where states may need assistance. In April 2018, HHS provided evidence that it had taken some steps to base its risk assessments on fully defined processes. CMS provided documentation of clearly defined and measurable terms used for state marketplace budget analysis. However, HHS did not provide evidence that these defined terms were incorporated into analyses or risk assessments. As of April 2020, CMS has not provided evidence that it took steps to develop a clear categorization process or a defined response to high risks. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that states develop, update, and follow performance measurement plans that allow the states to continuously identify and assess the most important IT metrics for their state marketplaces. (Recommendation 4)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that though each marketplace was accountable for managing and reporting its own IT metrics in accordance with federal and state law, HHS would work with states on the improvement of their management and operations through technical assistance and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to conduct operational analysis reviews and systematically monitor the performance of states' marketplace IT systems using key performance indicators. (Recommendation 5)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS did not concur with our recommendation and stated that it conducted Open Enrollment Readiness Reviews to assess marketplace key performance indicators, which according to CMS officials, are similar to operational analysis reviews. However, as of October 2018, HHS had not provided evidence that the Open Enrollment Readiness Reviewed systematically and comprehensively reported on the key performance indicators or include discussion of other key elements identified in best practices for operational analysis reviews, such as how objectives could be better met, or costs could be saved. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation.

Recommendation: The Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to take steps to ensure that metrics collected from states to monitor marketplaces' operational performance link to performance goals and include baselines and targets to monitor progress. (Recommendation 6)

Agency: Department of Health and Human Services
Status: Open

Comments: HHS partially concurred with our recommendation and stated in its December 2017 update that states were responsible for monitoring their own performance measures but HHS would continue to review IT metrics of state marketplaces in the implementation phase of their systems through technical assistance activities and oversight and accountability measures. As of April 2020, the agency had not yet provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the department's progress in implementing the recommendation and provide updates when the agency takes action.

Recommendation: To better ensure that agencies complete important DCOI planning documentation and that the initiative improves governmental efficiency and achieves intended cost savings, the Director of OMB should direct the Federal chief information officer to formally document a requirement for agencies to include plans, as part of existing OMB reporting mechanisms, to implement automated monitoring tools at their agency-owned data centers.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In June 2019, the Office of Management and Budget (OMB) issued an updated Data Center Optimization Initiative (DCOI) policy that encouraged federal agencies to implement automated monitoring tools at agency-owned data centers using more than 100 kilowatt hours of electricity. However, the updated policy did not require agencies to document a plan for implementing the tools as we recommended. As of January 2020, we have not received further update from OMB and the recommended action has not yet been taken. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce (Commerce) agreed with our recommendation and described planned actions to address it. Specifically, the department noted that, as part of its effort to consolidate, define, and establish a plan to deploy an enterprise-wide automated monitoring tool, it had identified two component agencies that would offer a data center infrastructure management tool as a service. The department added that this approach would allow it to monitor and report cost savings and avoidances more efficiently. In November 2019, Commerce reported that it had 73 agency-owned data centers that the department planned to keep open. However, of those 73, only seven had implemented the required advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 66 of its agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (Energy) concurred with our recommendation and described planned actions to implement it. Specifically, the department stated that it established plans to implement automated monitoring tools at its 78 department-owned tiered data centers and planned to evaluate whether its 68 department-owned non-tiered data centers should be consolidated or closed. In November 2017 correspondence to GAO, the department further stated that, for the non-tiered centers projected to remain open, it expected to complete plans for automated server utilization by September 30, 2019. In November 2019, Energy reported that it had 92 agency-owned data centers that the department planned to keep open, of which the Office of Management and Budget exempted three from optimization requirements by. However, of the remaining 89 data centers, only 37 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 52 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and described planned actions to implement it. Specifically, the department stated that HHS would direct its operating and staff divisions to acquire and install automated monitoring tools in all agency-owned data centers by the close of fiscal year 2018. In November 2019, HHS reported that it had 35 agency-owned data centers that the department planned to keep open. Of those 35, 22 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 12 of its agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior (Interior) partially concurred with our recommendation. Specifically, the department stated that it was committed to completing its plan on schedule, but that its ability to meet the Office of Management and Budget's (OMB) requirement to implement automated monitoring tools at all department-owned data centers by the end of fiscal year 2018 depended on many factors and variables, including the availability of funding and other resources. Nevertheless, in October 2017 correspondence to GAO, the department stated that it expected to complete planning for the deployment of automated monitoring in agency-owned data centers by September 30, 2018 and to complete implementation by December 31,2023. The letter noted that Interior would prioritize implementation at major tiered data centers, with implementation at other data centers as budgets permitted. In November 2019, Interior reported that it had 55 agency-owned data centers that the department planned to keep open, one of which OMB exempted from optimization requirements. However, of the remaining 54 data centers, only 17 had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 37 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (Transportation) agreed with our recommendation and, in November 2017 correspondence to GAO, described planned actions to implement it. Specifically, the department stated that its Office of the Chief Information Officer would create a plan of action to address the multi-layer requirements applicable to the department. Transportation expected to develop a plan of action that addressed the Office of Management and Budget's August 2016 Data Center Optimization Initiative (DCOI) guidance memorandum. The department expected to implement its plan by September 30, 2018. In November 2019, Transportation reported that it had 17 agency-owned data centers that the department planned to keep open. However, of those 17 data centers, only one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 17 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of the Treasury
Status: Open

Comments: In November 2019, the Department of the Treasury reported that it had 16 agency-owned data centers that the department planned to keep open. However, of those 16 data centers, only four had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining 12 agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with our recommendation, and in November 2017 correspondence to GAO, described completed and planned actions to address it. Specifically, the department stated that it's Office of Information and Technology (OI&T) was developing a plan to fully comply with the Office of Management and Budget (OMB) requirements to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018. According to the department, OI&T had taken a series of actions such as determining a strategy to meet OMB reporting requirements and reviewing the existing automated tools in use at VA. As part of its planning effort, OI&T was analyzing its data centers, collecting data through a web-based portal and automated tools, and implementing change management processes to manage IT assets in VA data centers. According to the department, OI&T expected to complete a written comprehensive plan by November?30, 2017. In May 2018, VA indicated that it had engaged OMB in discussions regarding how to classify its data centers and that the comprehensive plan would be completed by October 2018. In November 2019, VA reported that it had 279 agency-owned data centers that the department planned to keep open, of which OMB exempted 67 from optimization requirements and another 204 were pending OMB review to determine whether they would also be exempt. However, of the remaining eight data centers, none had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the department about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining eight agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Department of State
Status: Open

Comments: The Department of State agreed with our recommendation and described completed and planned actions to address it. Specifically, the department stated that it performed an analysis of tools, including shared services and commercial-off-the-shelf products. The department also stated that it was developing an acquisition strategy based on its research and planned to pursue a commercially available product. However, the department noted that budgetary constraints may delay the acquisition until fiscal year 2019 or later. In October 2019, staff from State's Office of the Chief Information Officer reported that 3,897 of the department's 4,137 servers (94.2 percent) had monitoring tools installed. In January 2020, the staff indicated that the department planned to continue installing tools as funds were available, with the goal of completing installation by the end of fiscal year 2020. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) described planned actions to address our recommendation. Specifically, the agency detailed plans to address OMB's requirements, such as leveraging EPA's current investment in a network monitoring tool and the intent to procure and deploy a data center infrastructure management tool by the end of fiscal year 2018. However, in December 2018, EPA determined it will leverage its current network monitoring tool for server utilization monitoring. The agency expects to have most data center servers monitored by the end of CY 2019. Once servers are monitored, the agency said that it will follow the most current OMB guidance to report required metrics. In November 2019, EPA reported that it had four agency-owned data centers that the agency planned to keep open. However, of those four data centers, one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the agency about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining three agency-owned data centers. We will continue to monitor the status of this recommendation.

Recommendation: The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of NRC should take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMB's requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) stated that it partially concurred with our recommendation and described plans to address it. Specifically, the agency stated that it plans to consolidate its remaining data centers into two main locations by the end of fiscal year 2018. OPM further stated that this consolidation will obviate the need to implement automated monitoring tools at the data centers that are closing. Finally, the agency noted that it is implementing automated monitoring tools at the designated core data centers. In November 2019, OPM reported that it had two agency-owned data centers that the agency planned to keep open. However, of those two data centers, only one had implemented the advanced monitoring tools. As of January 2020, we have not received a more recent update from the agency about how it will meet the Data Center Optimization Initiative requirement to implement monitoring tools at the remaining agency-owned data center. We will continue to monitor the status of this recommendation.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially concurred with the recommendation. OPM has improved its POA&M management system. Using this system, the agency provided, on 08-27-19, milestones showing timely validation of evidence for closing one US-CERT recommendation. However, OPM has not provided support showing timely validation of 16 other US-CERT recommendations that it has closed. OPM needs to provide evidence of timely validation of these 16 completed recommendations, or evidence for the two US-CERT recommendations that remain open, once these two have been closed and validated. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with the recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop role-based training requirements for its continuous monitoring program, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to issue role-based training requirements for individuals who configure and maintain the deployed continuous diagnostics and mitigation tools. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and documentation describing the proposed alignment and interdependencies between information technology (IT) governance boards. According to VA officials, as of September 2019, the department had continued to further evolve its IT governance framework, reworked the committee structure and related working groups that oversee IT investments, and refined the process for prioritizing investments. A draft IT Governance Policy that describes an updated governance structure intended to implement IT solutions and an agile workforce was to be implemented by March 2020. The department has yet to report on the status and results of this implementation. We will continue to monitor VA's actions to ensure that the implementation is consistent with planned actions.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation, including developing a set of metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that IT investments are aligned to business needs and that expected outcomes are defined prior to making the investments. According to department officials, VA issues a Joint Business Plan that identifies annual milestones associated with initiatives agreed upon by both VHA and OIT. As of September 2020, we are reviewing additional documentation related to the underlying processes that support the compilation of the plan and any related metrics for the associated investments that are to support VHA's mission. We will continue to monitor progress in this area.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. The department described its intention to ensure that unmet IT needs for the pharmacy benefits management, scheduling, and community care program areas were addressed appropriately during fiscal year 2018 budget formulation. In March 2020, we met with officials from the Pharmacy Benefits Management program office, the Office of Veterans Access to Care, and the Community Care program to discuss the status of new service requests and the extent to which IT needs have been met since our report. While there was a slight decrease in the total number of new service requests that remained open for 5 years or more, officials from each office did not consistently report improvements in how IT needs were being addressed. For example, Pharmacy Benefits Management officials still waited for improvements that may come with the deployment of the new electronic health record system, but they continued to report that updates to industry standards should be addressed sooner and often IT needs did not make it through the prioritization process at the Veterans Health Administration to be considered by the Office of Information and Technology. Community Care officials reported a general improvement in the IT governance process and a more engaged relationship with the Office of Information Technology; however, the list of open new service requests still included long-term VistA-related enhancements, some of which had not yet been prioritized by the department. The Office of Veterans Care has not yet provided an updated list of open new service requests, but officials were satisfied with a new maintenance contract that allowed them to address a number of IT issues. We will continue to monitor the number of new service requests in each program area and the extent to which the IT needs are being met by the IT governance process.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

Agency: Department of Homeland Security
Status: Open

Comments: In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Recommendation: To further align efforts to address appeals workload and improve timeliness of decisions, and reduce the risk that efforts will not go as planned, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits; the Chairman, Board of Veterans' Appeals; and the Chief Information Officer, as appropriate, to develop a schedule for IT updates that explicitly addresses when and how any process reform will be integrated into new systems and when Caseflow will be ready to support a potential streamlined appeals process at its onset.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred in principle with this recommendation. Moreover, since our March 2017 report, Congress passed the Veterans Appeals Improvement and Modernization Act of 2017, which required VA to develop a comprehensive appeals plan that included, among other things, descriptions of modifications to, cost estimates of and timelines for information technology that the agency needs to carry out appeals reform. However, more than a year after implementation of appeals reform, VA's February 2020 updated plan and FY 2021 budget request indicate that Caseflow has "minimal functionality", with many functionalities yet to be implemented. Further, VA's February 2020 updated plan and its FY 2021 budget request do not include specific steps or goals related to achieving overall functionality, integrated testing, or IT training for staff on new functionality still to be implemented in 2020 or beyond. While the VA's use of the agile process for IT development can help mitigate risks and avoid cost overruns and delays, VA's plans do not signal when Caseflow will support all of the Board's workflow needs for processing appeals under the new process. Such longer-term planning also could help ensure that all potential changes are anticipated in the plans of various VA components. For example, VA's February 2020 updated plan states that VHA cannot use Caseflow to efficiently and effectively manage its appeals workload. Longer-term planning could also ensure more transparency around additional resources needed to fully implement Caseflow versus other appeals-related technologies enterprise wide. We will consider closing this recommendation when VA has produced a longer-term plan for developing, implementing and integrating Caseflow functionality in support of a streamlined appeals process, including clear definitions of initial/minimal operating capability and full operational capability.

Recommendation: To better understand whether appeals process reform, in conjunction with other efforts, has improved timeliness, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits; the Chairman, Board of Veterans' Appeals; and the Chief Information Officer, as appropriate to develop a strategy for assessing process reform--relative to the current process--that ensures transparency in reporting to Congress and the public on the extent to which VA is improving veterans' experiences with its disability appeals process.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred in principle with this recommendation. Moreover, since our March 2017 report, Congress passed the Veterans Appeals Improvement and Modernization Act of 2017, which required VA to produce a comprehensive appeals plan that required VA, among other things, to periodically publish a range of metrics, including timeliness, related to the processing of appeals under the new and legacy system. As of February 2019, VA implemented appeals reform; however VA has not indicated how it will assess whether or the extent to which the new process, which also allows for multiple appeal opportunities, will achieve final resolution of veterans' appeals sooner, on average, than the legacy process. We will consider closing this recommendation when the Board establishes timeliness goals for all new appeals options and VA has produced a plan for analyzing whether the new process is an improvement. Closure of this recommendation is related to recommendation 2 in GAO-18-352.

Recommendation: To increase the likelihood that its IT investments develop reliable cost estimates, the Secretary of HUD should finalize, and ensure the implementation of, guidance that incorporates the best practices called for in the GAO Cost Estimating and Assessment Guide.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In April 2017, HUD reported that the department concurred with the recommendation and noted that the Office of the Chief Information Officer (OCIO) intended to establish cost estimation guidance for IT projects within its IT Management Framework Guide, incorporating appropriate best practices from the GAO Cost Estimating and Assessment Guide. In March 2019, HUD reported that, with contractor assistance, the department had begun to develop a standard methodology for investment lifecycle cost estimation; however, the methodology had not been fully institutionalized across all investments, and a policy for cost estimation had not been developed. Lacking an updated IT Management Framework and cost estimation policy, OCIO took additional interim action in the most recent budget cycle to reduce cost estimation risk by having the Chief Technology Officer standardize the cost estimates for IT investments. HUD continues to take action intended to address this recommendation; however, OCIO has not yet finalized a cost estimation methodology or the associated policy for IT investments or established a timeframe for implementing cost estimation practices departmentwide.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Commerce should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing IT competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, minimally or partially implemented four activities, and not implemented the remaining three activities. In July 2020, the department provided a summary of actions it claimed it had taken to close the recommendation. The department also provided supporting documentation. We are reviewing the documentation to determine whether it fully addresses the recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Defense should require the Chief Information Officer, the Under Secretary of Defense for Personnel and Readiness, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) develop competencies for all staff; (2) assess competency needs regularly for all positions; (3) assess gaps in competencies for all components of the workforce; (4) develop strategies and plans to address gaps in competencies; (5) implement activities that address gaps, including developing a program management career path, if justified and cost-effective; (6) monitor the department's progress in addressing competency gaps identified for IT staff; and (7) report to department leadership on progress in addressing competency gaps.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the Department of Defense's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activities to develop competency and staffing requirements and assess competency and staffing needs regularly, substantially implemented four other activities, and partially implemented the remaining two activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Health and Human Services should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process inclusive of all staff; (2) develop staffing requirements for all positions; (3) assess staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Health and Human Services
Status: Open

Comments: The department agreed with our recommendation and identified plans for (1) collecting and analyzing additional workforce data and (2) conducting targeted recruitment, staff planning, career development, and training. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had substantially implemented the activity to develop competency and staffing requirements, partially implemented three other activities, and either minimally or not implemented the remaining four activities. We will continue to monitor the department's efforts to address our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of Transportation should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish a time frame for when the department is to finalize its draft workforce planning process and maintain that process; (2) develop staffing requirements for all positions; (3) assess competency and staffing needs regularly for all positions; (4) assess gaps in staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing; (6) implement activities that address gaps, including an IT acquisition cadre, cross-functional training of acquisition and program personnel, a career path for program managers, and use of special hiring authorities, if justified and cost-effective;e (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps.

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The department agreed with the recommendation and stated that it plans to fully implement it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that the department had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Information Officer and Office of Human Resource Management had established a workgroup to lead and conduct workforce planning activities, and had defined the strategic goals and objectives for the department's IT workforce. The department also stated that the workgroup was planning on subsequently completing additional activities, including completing a workforce analysis with a competency gap assessment, by the end of calendar year 2020, and developing strategies to address any identified gaps by the end of 2021. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To facilitate the analysis of gaps between current skills and future needs, the development of strategies for filling the gaps, and succession planning, the Secretary of the Treasury should require the Chief Information Officer, Chief Human Capital Officer, and other senior managers as appropriate to address the shortfalls in IT workforce planning noted in this report, including the following actions: (1) establish and maintain a workforce planning process; (2) develop competency and staffing requirements for all positions; (3) assess competency and staffing needs regularly; (4) assess gaps in competencies and staffing for all components of the workforce; (5) develop strategies and plans to address gaps in competencies and staffing for all components of the workforce; (6) implement activities that address gaps, including a career path for program managers and special hiring authorities, if justified and cost-effective; (7) monitor the department's progress in addressing competency and staffing gaps; and (8) report to department leadership on progress in addressing competency and staffing gaps for all components of the workforce.

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The department agreed with our recommendation and identified planned and ongoing efforts to address it. In October 2019 (in GAO-20-129), we reported the results of our evaluation of the department's progress in implementing the eight IT workforce planning activities. Specifically, we reported that it had fully implemented the activity to develop competency and staffing requirements, but had not yet fully implemented the remaining seven activities, including developing a workforce planning process. In January 2020, the department stated that its Office of the Chief Human Capital Officer and Office of the Chief Information Officer would be presenting a decision paper to the Human Capital Advisory Council that month to request approval and resources to complete an IT Competency Framework, conduct a competency assessment, and conduct a department-wide workforce planning study for the 2210 (IT management) occupation. We will continue to monitor the department's efforts to implement our recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Commerce
Status: Open

Comments: We reported that the Department of Commerce did not meet the following software application inventory practice: regularly updates the inventory with quality controls to ensure reliability. Specifically, the department did not provide evidence of a process to regularly update its inventory or quality controls to ensure the reliability of the data collected. In October 2017, the department reported that application inventory information will be captured through the Department of Commerce Capital Planning and Investment Control (CPIC) system, as part of its regular updating of investment information. Further, the department stated that it will update its CPIC handbook to provide guidance on quality control to ensure reliability of the data collected. In November 2018 and November 2019 we followed-up with Commerce on the status of their efforts; however, as of January 2020, we had not received an update. We plan to continue to follow up with Commerce to monitor the status of these planned actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Energy
Status: Open

Comments: We reported that the Department of Energy partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In May 2017, the department reported that it plans to implement automated monitoring and inventory tools by the end of fiscal year 2020, which it expects will address the key practices. In December 2019, the department reported that it anticipates completing a refresh of its application inventory by the end of February 2020. We plan to monitor the department's efforts to implement the tools and to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Housing and Urban Development
Status: Open

Comments: We reported that the Department of Housing and Urban Development (HUD) partially met the following three software application inventory practices, (1) includes systems from all organizational components, (2) specifies basic application attributes, and (3) is regularly updated with quality controls to ensure reliability. In June 2017, the department reported that it is working to identify applications in field offices, and planned for this effort to be completed in fiscal year 2018. In addition, the department stated it planned to update the inventory to include business functions for each system by the end of fiscal year 2017. Further, department officials stated that to ensure the accuracy and reliability of the application inventory, the department planned to conduct quarterly portfolio reviews starting in fiscal year 2018. In October 2018, HUD officials reported that CTO performed a technical assessment of HUD's IT assets, which resulted in identifying systems in the inventory that had been decommissioned and will be decommissioned. In addition, the department provided its strategy for performing the assessment. In August 2019, HUD reported that it completed an assessment of its legacy applications and the current inventory system is outdated. However, as of January 2020, HUD had not yet provided an updated inventory. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Social Security Administration
Status: Open

Comments: We reported that the Social Security Administration (SSA) partially met the following two software application inventory practices, (1) includes systems from all organizational components, and (2) regularly updates the inventory with quality controls to ensure reliability. In March 2017, SSA officials reported that the agency's Office of Systems and Office of Operations continue to collaborate on integrating application information into the Enterprise Application Inventory. The officials reported that regionally developed applications that have been granted authority to operate have been imported into the enterprise application inventory. In addition, the officials stated that the Office of Operations was in the process of redesigning their repository to accommodate requirements to support the Enterprise Application Inventory, including the ability to update and maintain application information in the enterprise repository. Lastly, SSA officials reported that its Office of Information Security and Office of Systems were continuing to work to identify additional headquarters applications and develop process and automation to include applications in the inventory. In June 2019, SSA officials reported that they were continuing to make progress to update the inventory to include systems from all organizational components. However, as of January 2020, we had not received an updated inventory. We will continue to monitor SSA's efforts to develop a complete application inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of Labor
Status: Open

Comments: We reported that the Department of Labor did not meet one software application inventory practice, and partially met three practices. Specifically, we reported that the department did not meet the practice to ensure that the inventory is regularly updated with quality controls to ensure reliability, and partially met the practices to (1) include business and enterprise IT systems, (2) include systems from all organizational components, and (3) specify basic application attributes. In March 2018, department officials provided an updated inventory, which included business and enterprise IT systems from all organizational components, and specified basic attributes, including the name, owner, and business function. In addition, officials stated that they plan to update the inventory on a periodic basis as necessary, at minimum annually, as part of the department's IT budgeting process. Further, in June 2019, officials reported that the department performs biannual reviews of all IT investments and associated systems and applications to verify reported data. The officials also reported that the department uses quality control processes and procedures to ensure consistent, standard, and complete reporting to align with all investment artifacts. However, the department did not provide evidence of these data quality efforts. In June 2019, officials also reported that the department is implementing a new system in order to maintain an ongoing comprehensive inventory of all IT assets, including applications, which it expects to have fully operational by the end of the second quarter of fiscal year 2020. We will continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of the Treasury
Status: Open

Comments: We reported that the Department of the Treasury had partially met the following two practices for establishing a complete software application inventory, (1) specifies basic application attributes, and (2) is regularly updated with quality controls to ensure reliability. In September 2017, the department provided evidence showing that it had taken steps to address these practices. Specifically, the department provided an export of its inventory, which showed that most of the systems listed contained a system description. According to department officials, some systems do not have a system description because the department's inventory policy allows bureaus to attach documents to the inventory, which include the system description, instead of populating the system description field. Further, the policy does not require a system description for systems in the disposal state. Moreover, the inventory did not include the business segment or function that the system supports. According to Treasury officials, the Bureau and Functional Unit fields within the inventory allow the department to map the systems to the business segments that they support. We followed up with the department to obtain this mapping. However, as of January 2020, the department had not provided it. We will continue to monitor the department's efforts to ensure that the inventory is regularly updated with quality controls to ensure its reliability.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State partially met the following software application inventory practices: (1) specifies basic application attributes; and (2) is regularly updated with quality controls to ensure reliability. Specifically, we reported that while the inventory included basic application attributes (e.g. name, description), it did not include the business function for the majority of inventory entries. Further, we reported that the agency did not provide evidence that quality control processes were in place to ensure the reliability of the data in the inventory. In July 2017, department officials stated that the department recently began a department-wide data call to obtain information on all IT assets and applications from each bureau, including aligning the assets and applications to a business function. Further, officials stated that they plan to analyze the results against their current data to ensure the accuracy and reliability of the IT asset inventory. In June 2019, the department provided evidence demonstrating that its inventory includes the business function for IT assets. In addition, State officials stated that the IT asset inventory that is posted internally for review is a high-level summary to facilitate monthly validation. However, as of January 2020, the department has not provided documentation showing that it has implemented the quality control processes to ensure the reliability of the data. We plan to continue to monitor the department's efforts to address the recommendation.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Environmental Protection Agency
Status: Open

Comments: We reported that the Environmental Protection Agency had fully met three of the four practices to establish a complete application inventory, and partially met one. Specifically, the agency partially met the practice for including application attributes in the inventory, as although EPA did not identify the business function for every application. In December 2019, Environmental Protection Agency officials stated that the inventory now requires the business function to be included, and provided inventory update instructions that show the business function is to be included. In addition, agency officials provided instructions for senior information managers to update the inventory in fiscal year 2019. However, as of January 2020, agency officials had not provided an updated inventory, and thus we were not able to verify that the business function was added for all applications. We will follow up with the agency to obtain the updated inventory.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Agency: Office of Personnel Management
Status: Open

Comments: We reported that the Office of Personnel Management (OPM) partially met the software application inventory practice to regularly update the inventory with quality controls to ensure reliability. In November 2016, OPM officials stated that they were validating the data in the application inventory. In addition, officials stated that they were making progress in using automated scanning tools to update the inventory, including coordinating with the General Services Administration's Software Management Group which is working to standardize the use of automated inventory tools across the government. In June 2017, November 2018, and November 2019, we followed up with OPM to obtain documentation of these reported actions; however, as of January 2020, the agency had not yet provided supporting documentation. We are continuing to follow up with OPM to obtain documentation of its reported actions.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Defense should direct the responsible official to modify the department's existing processes to collect and review cost, technical, and business information for the enterprise and business IT systems within the Enterprise Information Environment Mission Area applications which are currently not reviewed as part of the department's process for business systems.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense did not concur with our recommendation, noting, among other things, in its written response to our draft report, that a majority of the Enterprise Information Environment Mission Area systems are IT infrastructure, and not applications. However, we reported that the mission area nevertheless included a large number of enterprise and business IT applications which could benefit from rationalization, and we therefore believed our recommendation was still warranted. In March 2020, the department stated that it is formalizing a guide to assist components with implementing an application rationalization process, that will be used to rationalize the Enterprise Information Environment Mission Area systems. The department stated that it plans to perform annual reviews, and expects to start by the end of fiscal year 2020.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Homeland Security should direct the department's CIO to identify one high-cost function it could collect detailed cost, technical, and business information for and modify existing processes to collect and review this information.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, DHS officials stated that they identified FOIA systems as a high cost function, and will modify existing processes to collect and review the cost, technical, and business information. In November 2019, DHS reported that it is continuing to make progress in acquiring a new enterprise-wide FOIA system by reviewing current capabilities. We plan to continue to monitor the department's efforts.

Recommendation: To improve federal agencies' efforts to rationalize their portfolio of applications, the Secretaries of Defense, Homeland Security, the Interior, and Labor; and the Director of the National Science Foundation should direct the CIOs and other responsible officials to modify existing investment management processes to address applications more completely. Specifically, the Secretary of Labor should direct the department's CIO to consider a segmented approach to further rationalize and identify a function for which it would modify existing processes to collect and review application-specific cost, technical, and business value information.

Agency: Department of Labor
Status: Open

Comments: In February 2017, department officials stated that the department's portfolio of IT investments, which includes the systems, sub-systems, and applications in the IT asset inventory, are rationalized bi-annually as part of the Office of the Chief Information Officer's IT Capital Planning and Investment Control (CPIC) review processes. Further, officials stated that the systems and applications were also being rationalized as part of the process for updating the IT asset inventory. Officials stated that the department plans to review and update the department's CPIC guide to describe the IT asset inventory management process including the basic quality controls. In July 2019, officials reported that the department plans to have the updated guide completed by the end of fiscal year 2019. However, as of January 2020, the department had not provided documentation supporting these efforts. We plan to follow-up with the department to obtain documentation of its efforts to address the recommendation.

Recommendation: The Director of the Office of Management and Budget, in consultation with the Performance Improvement Council and General Services Administration, should ensure the information presented on Performance.gov consistently complies with GPRAMA public reporting requirements for the website's content.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In February 2018, the Office of Management and Budget (OMB) and General Services Administration launched an updated version of Performance.gov. Our updated analysis of information presented on the site in August 2020 found that it does not meet all requirements. However, OMB continues to take action to address this recommendation. For example, Performance.gov does not include a required inventory of federal programs. In July 2020, OMB reported that it is working with agencies to address this requirement. Beginning with the fiscal year 2021 federal budget cycle, OMB and agencies plan to merge implementation of existing web-based reporting of performance and spending data to provide a more coherent picture of federal programs and activities. We will continue to monitor the status of actions taken to address this recommendation.

Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with the recommendation but has not yet provided sufficient evidence that it had implemented the recommendation. In particular, as of August 2020, the HHS Office for Civil Rights (OCR) has not yet reviewed the feasibility of performance measures as part of its audit program, and plans to do so only after implementing a future redesign of its audit program. We will continue to monitor HHS actions in response to this recommendation.

Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prepare a level I quantitative drilldown in accordance with the FIAR Guidance.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to prepare a quantitative drilldown. In September 2017, Navy provided a listing of certain systems (DCAS, GLs, DDRS-B, and DDRS-AFS) it considered as Level 1 assessable units. However, the listing did not include a drilldown from the financial statement amounts through DDRS-AFS, DDRS-B, and DCAS to the receipt and disbursement source systems. In July 2020, Navy officials stated that Navy is implementing a new system that will enable them to complete a quantitative drill down for its Fund Balance with Treasury (FBWT). The new system is not expected to be fully implemented until March 2021. In the interim, certain FBWT reconciliations are performed at DFAS, that may provide a drilldown capability of FBWT as reported in financial statements to the applicable general ledger amounts.

Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prioritize audit readiness efforts for the key FBWT systems, prepare an audit strategy that identifies for each system (1) the Navy's plan for assessing the system to gain assurance that the system can be relied on; (2) the assessment types, including prioritizing the assessments based on qualitative and quantitative factors for each system; and (3) planned start and completion dates of these assessments for each system.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: The Navy concurred with this recommendation and stated that it has actions planned, taken, or under way to prioritize audit readiness efforts for key Fund Balance with Treasury (FBWT) systems. In September 2017, Navy provided documentation for three systems, but this documentation did not address corrective actions for ineffective controls and the expected completion dates. Further, during our audit, Navy provided a list of 22 relevant systems. In July 2020, Navy officials stated that they are preparing an audit strategy for each system, and documenting control activities and computer controls for significant systems. We will continue to follow-up on the status of this recommendation.

Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prepare, in accordance with FIAR Guidance, the documentation of control activities and information technology general computer controls for significant systems; system certifications or accreditations; system, end user, and systems documentation locations; and hardware, software, and interfaces.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: The Navy concurred with this recommendation and stated that it had actions planned, taken, or under way to document control activities, information technology general computer controls for significant systems, systems documentation locations, and hardware, software, and interfaces. In September 2017, Navy provided documentation for 3 systems, but the documentation did not include system certifications or accreditations; system, end user, and systems documentation locations; and hardware, software, and interfaces. Further, during our audit, Navy provided a list of 22 relevant systems. In July 2020, a Navy official told us that they are preparing an audit strategy for each system, and documenting control activities and computer controls for significant systems. We will continue to monitor Navy's progress addressing this recommendation.

Recommendation: To improve the Navy's implementation of the FIAR Guidance for its General Fund FBWT FIP and facilitate efforts to achieve SBR auditability, the Secretary of the Navy should direct the Assistant Secretary of the Navy, Financial Management and Comptroller, to prepare an internal control assessment document for each assessable unit, summarizing control activities that are appropriately designed and in place.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: The Navy concurred with this recommendation and stated that it had actions planned, taken, or under way to prepare an internal control assessment document. In September 2017, Navy provided support for actions taken to address this recommendation. However, the documentation provided did not summarize controls by assessable unit (DCAS, DDRS-B, or systems). Instead controls were listed by function (Treasury Reporting, Audit Readiness, and Departmental Reporting). In July 2020, a Navy official stated that documentation of overall Fund Balance with Treasury (FBWT) controls is in process and they are finalizing the Risk Control Matrix for FBWT to include controls at DFAS and at Treasury. The Rick Control Matrix is estimated to be completed by the end of August 2020. We will continue to monitor the progress in addressing this recommendation.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and has taken steps to establish a department policy and process for the certification of major IT investments' use of incremental development. Specifically, in September 2020, HHS officials reported that they have established a draft policy and anticipate publishing the finalized guidance by March 2021. We will continue to evaluate HHS's progress in implementing this recommendation.

Recommendation: To improve the certification of adequate incremental development, the Secretaries of Defense, Education, Health and Human Services, and the Treasury should direct their CIOs to establish a department policy and process for the certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on the implementation of the Federal Information Technology Acquisition Reform Act.

Agency: Department of the Treasury
Status: Open

Comments: In September 2020, an official from the Department of the Treasury (Treasury) reported that the department had developed draft guidance to address our recommendation, but did not provide time frames for when the guidance would be finalized. Until the department establishes a CIO certification policy, Treasury will not be able to fully ensure adequate implement of, or benefit from, incremental development practices. We will continue to evaluate Treasury's progress in implementing this recommendation.

Recommendation: To effectively measure 18F's performance, the Administrator of GSA should direct the Commissioner for the Technology Transformation Service to assess actual results for each performance measure.

Agency: General Services Administration
Status: Open

Comments: The General Services Administration (GSA) agreed with, and has begun to take steps to implement, this recommendation. Specifically, in a March 2020 written response, GSA stated that Technology Transformation Service (TTS) leadership will be briefed on the program's performance measures on a quarterly basis. We are following up with GSA to confirm that its TTS leadership has been briefed on the results on these performance measures. We will continue to evaluate GSA's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to ensure that all goals and associated performance measures are outcome-oriented and that performance measures have targets.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB developed three goals for U.S. Digital Service (USDS): (1) rethink how the federal government builds and buys digital services; (2) expand the use of common, platforms, services, and tools; and (3) bring top technical talent into public service. In addition, OMB established performance measures with targets for its third goal and for each of the program's major projects. However, OMB has not established performance measures for the first two USDS goals. Further, the program's third goal is not outcome-oriented. In May 2018, an USDS staff member stated that USDS established goals for and measured performance on each of the projects the program supports in its fall 2017 report to Congress. Although measuring performance on projects can provide USDS with valuable information, this effort does not address goals and performance measurement on the overall USDS program. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to assess actual results for each performance measure.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in its December 2016 report to Congress, OMB assessed the results of performance measures for one of the U.S. Digital Service (USDS) program's goals--bring top technical talent into public service--and for each of the program's major projects. However, OMB has not established performance measures for the other two USDS goals--rethink how the federal government builds and buys digital services; and expand the use of common, platforms, services, and tools. In May 2018, an USDS staff member stated that USDS established goals for and measured performance on each of the projects the program supports in its fall 2017 report to Congress. As of July 2019, USDS has not publicly released any subsequent reports to Congress or additional information on its goals and performance measures. Although measuring performance on projects can provide USDS with valuable information, this effort does not address performance measurement on the overall USDS program. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To effectively measure performance, prioritize USDS's resources, and ensure that CIOs play an integral role in agency digital service teams, the Director of the Office of Management and Budget should direct the Federal Chief Information Officer to update USDS policy to clearly define the responsibilities and authorities governing the relationships between CIOs and the digital service teams and require existing agency digital service teams to address this policy. In doing so, the Federal Chief Information Officer should ensure that this policy is aligned with relevant federal law and OMB guidance on CIO responsibilities and authorities.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) generally agreed with, and has begun to take steps to implement, this recommendation. In particular, OMB updated its digital service team policy to require that teams appropriately inform their chief information officers (CIO) regarding U.S. Digital Service (USDS) projects. However, the policy does not describe the responsibilities or authorities governing the relationships between CIOs and digital service teams. In May 2018, an USDS staff member stated that the program updated digital service team charters to address the role of agency CIOs. As of May 2020, USDS has yet to provide us with the updated digital service team charters. In May 2020, OMB stated that they would provide an update on the agency's efforts to address the recommendation by June 2020. We will continue to evaluate OMB's progress in implementing this recommendation.

Recommendation: To enhance the budget process and to improve transparency, the Commissioner of Internal Revenue, to the extent feasible, should ensure that the CJ includes data by appropriation account on the amount of funding requested to maintain current services for each future state theme.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its fiscal year 2017 congressional justification, IRS modified how its budget data were organized, including linking requested increases to future state themes, but did not clarify how current spending by themes relates to appropriation accounts. Information on current spending by theme and account is important to ensure transparency on the current funding levels to assist Congress in making informed budget decisions. As reported in October 2018 in GAO-19-108R, the themes under the Future State vision are now being pursued as part of IRS's strategic plan for fiscal years 2018 to 2022-issued in May 2018. IRS has been phasing out the use of the term Future State and did not include it in its fiscal year 2020 congressional justification. Including data on the themes in the strategic plan would provide additional transparency and improve the quality of the information available to Congress for budget deliberations.

Recommendation: As Treasury works with IRS to improve the quality and accuracy of budget data, the Secretary of the Treasury should ensure sufficient controls are in place to make certain that the information technology investment reports generated from the SharePoint Investment Knowledge Exchange are accurate. This includes, for example, taking steps to reduce the need for manual corrections to the data.

Agency: Department of the Treasury
Status: Open

Comments: As of November 2017, Treasury Department officials took steps to address the need to manually correct budget data for the fiscal year 2017 budget request. However, as of October 2019, we have not received documentation that they have done so for future budget years. Improved information would help Treasury and IRS better account for information technology resources. We will continue to monitor Treasury's progress.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) was responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department approved a cost baseline for one of the components of JIE, the Joint Regional Security Stacks (JRSS), and developed a cost estimate for another component, the Enterprise Collaboration and Productivity Services (ECAPS) program. The ECAPS cost estimate was substantially consistent with the practices described in the report. However, the JRSS cost estimate was not developed consistent with the best practices described in the report. Specifically, the department did not demonstrate that the cost estimate was well documented, comprehensive, accurate, and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps in the JRSS cost estimate; however, as of July 2019, DOD had not provided the documentation. The officials also stated that planning for JIE components other than JRSS and ECAPS had not begun; therefore, there were no other JIE component cost estimates. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network part of the Joint Regional Security Stacks (JRSS) component; however, the schedule was not consistent with the practices described in our report. In addition, In May 2019, officials in the Office of the DOD CIO stated that another JIE initiative, the Enterprise Collaboration and Productivity Services program, had an approved baseline schedule. However, as of July 2019, DOD had not provided the schedule.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS; however, the schedule was not consistent with the practices described in our report. In May 2019, officials in the Office of the DOD CIO said that the JRSS schedule had not been re-baselined and the department had not developed a schedule management plan. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation and has taken steps to implement it; however, more needs to be done. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department has developed an inventory of cybersecurity knowledge and skills of existing staff. Specifically, we reported in our June 2018 report Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions (GAO-18-466) that the department had developed an assessment that included the percentage of cybersecurity personnel holding certifications and the level of preparedness of personnel without existing credentials to take certification exams. In August 2018, the office of the DOD CIO stated that the department planned to identify work roles of critical need and establish gap assessment and mitigation strategies by April 2019. However, as of July 2019, the department had not provided an update on the status of its efforts to address the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, as of August 2018, it has not provided evidence that it has addressed it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In May 2019, the office of the DOD CIO stated that it had developed a schedule to complete JIE security assessments. However, as of July 2019, the office had not provided the schedule or demonstrated that it has a strategy for conducting JIE security assessments that includes the rest of the elements of our recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however it has not fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, in April 2017, the JRSS program office documented the methodology, ground rules and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. However, the cost estimate documentation was not sufficient to address our recommendation. Specifically, it did not demonstrate that the cost estimate was well documented, comprehensive, accurate and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps. However, as of July 2019, DOD had not provided the documentation.

Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to establish, document, and implement policies and procedures for selecting new and reselecting ongoing business systems modernization activities, consistent with IRS's process for prioritizing operations support priorities, which addresses (1) prioritization and comparison of IT assets against each other, (2) criteria for making selection and prioritization decisions, and (3) ensuring IRS executives' final funding decisions on IT proposals are based on IRS's prioritization process.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS provided GAO a slide deck titled "Prioritization Process for the Business Systems Modernization (BSM) Program/Projects" which describes a process for prioritizing BSM investments and capabilities within the investments. However, the slides were labeled "pre-decisional." In addition, they did not include specific procedures for prioritizing investments. In April 2020, IRS informed us that it had moved its target for fully implementing the recommendation to November 2020. We will continue to monitor IRS's efforts to implement the recommendation.

Recommendation: To help IRS improve its process for determining IT funding priorities and to provide timely information on the progress of its investments, the Commissioner of IRS should direct the Chief Technology Officer to modify existing processes for Foreign Account Tax Compliance Act (FATCA) and Return Review Program (RRP) for measuring work performed by IRS staff to incorporate best practices, including accounting for actual work performed and using the level of effort measure sparingly.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In May 2018, IRS told GAO it had implemented the recommendation. As supporting evidence, the agency provided an April 2018 update to its Investment Performance Tool user guide along with briefing slides specifying actions taken to modify its processes to measure work performed by IRS staff. We reviewed the evidence provided and determined that it was not sufficient to close the recommendation as implemented. Specifically, while the Investment Performance Tool user guide included updated procedures for measuring work performed by IRS staff which aligned with best practices, it did not clearly state that earned value (or work performed) during an iteration should always be based on to the percentage of planned features or user stories that were completed for that iteration. In addition, IRS did not provide evidence that it had used its updated procedures for the Return Review Program investment. We followed up with IRS to obtain this documentation. The agency subsequently provided the requested documentation to us and, as of July 2020, we were reviewing it to determine the extent to which it addresses the recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. HHS submitted a draft version of this methodology in June 2018. Upon reviewing this documentation, however, we did not see evidence that the department was factoring active risks into its CIO ratings. In May 2019, HHS officials stated that they planned to update their CIO rating methodology to focus on active risk; however, department documentation from August 2020 stated that the new CIO rating methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that the department was amending its CIO rating review process to ensure that active risks are factored into its IT Dashboard CIO ratings. In August 2020, VA submitted documentation for this new process; however, this documentation did not state how the department incorporates active risks into its investments' CIO ratings. We will continue to monitor the implementation of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation, and, in an October 2017 response, stated that it currently evaluates risk as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. HHS submitted a draft version of this methodology in June 2018. While this documentation showed that HHS factored investment qualities related to overall project riskiness, it did not specify that active investment risks were also being factored as part of the evaluation. Without an additional focus on active risk, this methodology is unlikely to ensure that HHS's CIO ratings reflect the level of risk facing an investment. In May 2019, HHS officials stated that they planned to update their CIO rating methodology; however, per HHS documentation dated August 2020, this new methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that it will ensure that CIO ratings reflect the level of risk facing its investments. In August 2020, VA submitted documentation for an updated CIO ratings process; however, this process documentation did not state how the department incorporates active risks into its investments' CIO ratings. Without a consideration of active risks, VA's CIO rating process may not produce ratings that reflect the level of risk facing VA's investments. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation and has provided information on how investment risk is evaluated as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: The Director of OMB should identify and publish a specific goal associated with its non-provisioned O&M spending measure.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation. However, in July 2020, OMB stated that the implementation of this recommendation would be counter to the Administration's focus of prioritizing modernization activities specifically for High Value Assets and, as a result, it does not intend on implementing this recommendation. We disagree and believe that identifying and publishing a specific goal aimed at reducing non-provisioned spending (i.e., spending associated with systems that are not cloud or shared service-based) aligns with the Administration's Cloud Smart strategy to accelerate agency adoption of cloud-based solutions. We will continue to monitor the implementation of this recommendation.

Recommendation: The Director of OMB should commit to a firm date by which its draft guidance on legacy systems will be issued, and subsequently direct agencies to identify legacy systems and/or investments needing to be modernized or replaced.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation. In July 2020, OMB stated that agencies were directed to manage the risk to High Value Assets associated with legacy systems in OMB's December 2018 guidance. While OMB's guidance does direct agencies to identify, report, assess, and remediate issues associated with High Value Assets, it does not require agencies to do so for all legacy systems. We will continue to monitor the implementation of this recommendation.

Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

Agency: Department of the Treasury
Status: Open

Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to ensure that operational analyses are performed on investments in the operations and maintenance phase. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation. In May 2019, the agency stated that it had conducted an assessment of its legacy system environment and identified 106 legacy IT assets across 18 components. In a March 2020 update, the agency stated that it is in the process of developing a policy to govern all legacy systems, to include modernization and decommissioning plans. The agency plans to publish this policy by March 2021. We will continue to monitor the implementation of this recommendation.

Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

Agency: Department of the Treasury
Status: Open

Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to modernize the IRS's legacy systems. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially agreed with this recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop requirements, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to complete its efforts to ensure that it provides and tracks training for individuals with significant security responsibilities. As of March 2020, OPM has not provided evidence that it has completed these actions.

Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation. The agency has conducted security control assessments for the two systems, but these assessments did not show that technical controls were comprehensively tested. According to VA, the agency will complete the next security control assessment in October 2019 and complete the system assessment report in December 2019. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to VA informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to OMB informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with our recommendation and reported that the department was in the process of addressing it. Specifically, a HHS official reported in August 2020 that the department had created a team to address cloud computing best practices and intended to finalize guidance on SLA key practices by June 2021. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of the Treasury
Status: Open

Comments: In August 2020, an official from the Department of the Treasury (Treasury) reported that the department was in the process of addressing the recommendation. Specifically, a Treasury official reported that the department's Office of the Chief Information Officer was working with the Treasury Senior Procurement Executive to incorporate the key practices identified in our report into Treasury acquisition policy, which was expected to be completed by January 2021. We will continue to monitor the status of this recommendation.

Recommendation: To help ensure continued progress in the implementation of effective cloud computing SLAs, the Secretaries of Health and Human Services, Homeland Security, Treasury, and Veterans Affairs should direct appropriate officials to develop SLA guidance and ensure key practices are fully incorporated as the contract and associated SLAs expire.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and reported that the department was in the process of addressing it. In August 2020, a VA official reported that the department's Office of Information Technology was working to re-write existing SLA documentation following a review from the Office of Inspector General but did not provide a date when the guidance would be finalized. We will continue to monitor the status of this recommendation.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to define procedures for overseeing state-based marketplaces, to include day-to-day activities of the relevant offices and staff.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to require continuous monitoring of the privacy and security controls over state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: To strengthen USDA's ability to better manage and monitor the progress of the Blueprint, including efforts to streamline and improve administrative services, the Secretary of Agriculture should direct the Assistant Secretary for Administration to develop a complete list identifying all of the Blueprint efforts under way and document key information needed to monitor their progress, such as status of implementation, time frames for completion, and related performance measures.

Agency: Department of Agriculture
Status: Open

Comments: As of June 2020, GAO is working with the agency to determine what actions the agency has taken related to this recommendation.

Recommendation: To strengthen USDA's ability to better manage and monitor the progress of the Blueprint, including efforts to streamline and improve administrative services, the Secretary of Agriculture should direct the Assistant Secretary for Administration to reexamine the adequacy of the staff and budget resources committed to the day-to-day management of the Blueprint, and further leverage existing departmental resources as needed.

Agency: Department of Agriculture
Status: Open

Comments: As of June 2020, GAO is working with the agency to determine what actions the agency has taken related to this recommendation.

Recommendation: To improve USDA's efforts to identify and track the benefits of the Blueprint, the Secretary of Agriculture should direct the Assistant Secretary for Administration to document the methodologies used to calculate any savings claimed for the Blueprint effort to ensure any such estimate is based on quality information.

Agency: Department of Agriculture
Status: Open

Comments: As of June 2020, GAO is working with the agency to determine what actions the agency has taken related to this recommendation.

Recommendation: To improve USDA's efforts to identify and track the benefits of the Blueprint, the Secretary of Agriculture should direct the Chief Financial Officer to develop a cost-effective method, using existing data systems, to collect and track USDA's spending on administrative services to identify baseline spending and target areas for future cost savings.

Agency: Department of Agriculture
Status: Open

Comments: As of June 2020, GAO is working with the agency to determine what actions the agency has taken related to this recommendation.

Recommendation: To improve USDA's efforts to identify and track the benefits of the Blueprint, the Secretary of Agriculture should direct the Assistant Secretary for Administration to systematically identify and track nonfinancial benefits from USDA's Blueprint efforts to better gauge the Blueprint's progress and more fully report its results.

Agency: Department of Agriculture
Status: Open

Comments: As of June 2020, GAO is working with the agency to determine what actions the agency has taken related to this recommendation.

Recommendation: To enhance USDA's efforts to share lessons learned from the Blueprint, the Secretary of Agriculture should direct the Assistant Secretary for Administration to maintain and promote existing web-based collaboration tools, including keeping information in these tools current, for agencies and staff offices to report their experiences and lessons learned from their Blueprint efforts to help strengthen internal information sharing and inform future efforts.

Agency: Department of Agriculture
Status: Open

Comments: As of June 2020, GAO is working with the agency to determine what actions the agency has taken related to this recommendation.

Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: According to agency officials, FDA's CIO met with the FDA Commissioner in 2016 where the updated IT strategic plan was reviewed and approved. The Commissioner identified key IT initiatives to be implemented within FY2017 and incorporated them into the CIO's performance management appraisal program. According to officials, the Commissioner requires the CIO to implement a plan to ensure that expected outcomes of the agency's key IT initiatives are achieved. Although FDA provided us with an excel spreadsheet that identifies IT initiatives at the agency's weekly FDA project meeting, we requested additional documentation regarding the plan the CIO is required to implement to ensure that expected outcomes of the agency's key IT initiatives are fulfilled. We contacted FDA in September and December 2019 and January 2020 to obtain additional information on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Agriculture should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture agreed with our recommendation and has taken initial steps to implement it. Specifically, as of May 2020, the department's integrated data collection submission to the Office of Management and Budget included reinvestment plans for 37 of 68 reported cost savings and avoidance initiatives. However, the department reported about $122.8 million in cost savings and avoidances in the 31 initiatives that did not include plans regarding how these savings would be reinvested. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Housing and Urban Development should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of Housing and Urban Development
Status: Open

Comments: The Department of Housing and Urban Development agreed with, and has taken initial steps to implement, our recommendation. Specifically, as of May 2020, the department's integrated data collection submission included reinvestment plans for one of the eight cost savings and avoidance initiatives reported. However, the seven remaining initiatives, with savings and avoidances totaling approximately $6.3 million, did not include reinvestment plans. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO, as part of any future update to the department's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2020, the department had not yet updated its Information Resources Management (IRM) Strategic Plan to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources. In addition, in an April 2020 e-mail, the department's GAO liaison stated that Treasury had not yet updated its IRM strategic plan, but might have other, more current, strategic documents that described its reinvestment plans. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of the Treasury should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to use any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury has not yet taken steps to implement our recommendation. Specifically, as of May 2020, the department's quarterly integrated data collection submission to the Office of Management and Budget did not include reinvestment plans for 15 of the 27 reported cost savings and avoidance initiatives. For example, the department reported about $100 million in cost avoidances from its data center consolidation and optimization initiatives, but did not provide information regarding how it plans to reinvest these avoidances. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the department's IT savings reinvestment plans, the Secretary of Veterans Affairs should direct the CIO to ensure that the department's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs agreed with, and took initial steps to implement, our recommendation. Specifically, in November 2015, the department's Chief of Staff stated that the Office of Information and Technology was working to establish an office to close monitor program performance, deliver, cost, schedule, return on investment, and total cost of ownership, which will enable reinvestment opportunities. However, as of May 2020, the department's quarterly integrated data collection submission to the Office of Management and Budget did not include reinvestment plans for five of the 10 reported cost savings and avoidance initiatives. For example, the department reported about $229 million in cost avoidances associated with renegotiating an enterprise license agreement with Microsoft, but did not provide information regarding how it plans to reinvest these avoidances. The department expects to provide an update in June 2020. We will continue to evaluate the department's progress in implementing this recommendation.

Recommendation: To improve the agency's IT savings reinvestment plans, the Administrator of the Environmental Protection Agency should direct the CIO to ensure that the agency's integrated data collection submission to OMB includes, for all reported initiatives, complete plans to reinvest any resulting cost savings and avoidances from OMB-directed IT reform-related efforts.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency agreed with our recommendation, but has not yet taken steps to implement it. Specifically, as of May 2020, the agency's quarterly integrated data collection submission to the Office of Management and Budget did not include reinvestment plans for any of the 12 reported cost savings and avoidance initiatives. For example, the agency reported about $34.0 million in cost savings and avoidances in 2019 related to data center, commodity IT, and software licensing initiatives, but did not provide information regarding how it plans to reinvest these savings and avoidances. The agency expects to provide an update in June 2020. We will continue to evaluate the agency's progress in implementing this recommendation.

Recommendation: To improve the agency's IT savings reinvestment plans, the Director of the Office of Personnel Management should direct the CIO, as part of any future update to the agency's IRM strategic plan or equivalent document, to include information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) in accordance with OMB's guidance.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) agreed with our recommendation, but has not yet taken action to implement it. Specifically, in November 2015, OPM's Acting Director stated that information regarding the approach to reinvesting savings from the consolidation of commodity IT resources (including data centers) would be included in future updates to OPM's Strategic IT Plan. In August 2019, OPM's GAO liaison stated that the agency intended to update its Strategic IT Plan in fiscal year 2020 and intended to include reinvestment language as part of the update. However, as of May 2020, the agency had not yet updated its strategic plan to include this information. The agency expects to provide an update in June 2020. We will continue to evaluate the OPM's progress in implementing this recommendation.

Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to develop an updated plan for VBMS that includes (1) a schedule for when VBA intends to complete development and implementation of the system, including capabilities that fully support disability claims, pension claims, and appeals processing and (2) the estimated cost to complete development and implementation of the system.

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and as of January 2020, is continuing to develop requirements for VBMS in order to develop functionality to replace legacy information systems. In addition, the department subsequently provided us with expected completion dates for implementation of claims and appeals processing, but has not provided a schedule for the implementation of pension claims processing. To fully implement this recommendation, the department needs to provide the expected completion date for pension claims processing and an estimate of the cost to complete remaining development and implementation of VBMS.

Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to reduce the incidence of high- and medium-priority level defects that are present at the time of future VBMS releases.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with this recommendation and reiterated its plans and procedures for decreasing the incidences of defects in each system release. However, while the most recent VBMS release (i.e., May 2019) showed a decrease in the number of high- and medium-priority level defects, the release in February 2019 showed an increase in the number of high- and medium-priority defects. In addition, both the February 2019 and May 2019 releases showed the presence of the highest severity defects--critical--which have extensive user impact and workarounds do not exist. We will continue to monitor VA's actions and progress in response to this recommendation.

Recommendation: The EPA Administrator should direct OGD to develop a timetable with milestones and identify and allocate resources for adopting electronic records management for all 10 regional offices.

Agency: Environmental Protection Agency
Status: Open

Comments: According to EPA officials, the Office of Grants and Debarment (OGD) established an agency-wide electronic grants record workgroup in fiscal year 2016. The workgroup identified the contents of the electronic grant file, technical options, and evaluation criteria. OGD completed its alternatives analysis for scope, general approach, and requirements in fiscal year 2017 and EPA expected this recommendation to be addressed by its new grants management system (GrantsSolutions). However, in January 2020, EPA officials told us that EPA had ceased its migration to GrantSolutions after determining the long-term costs were unsustainable and that the system lacked fundamental functionality necessary for core grant operations and to maintain appropriate internal controls. EPA is now migrating towards a modernized grants administration and management cloud solution. EPA expects this recommendation to be addressed when the new grants management system is fully implemented. EPA anticipates deployment of the new cloud solution in December 2020.

Recommendation: The EPA Administrator should direct OGD to implement plans for adopting an up-to-date and comprehensive IT system by 2017 that will provide accurate and timely data on agencywide compliance with grants management directives.

Agency: Environmental Protection Agency
Status: Open

Comments: Implementation efforts are ongoing. According to EPA officials, OGD is conducting a multi-modular project to upgrade the agency's grants management IT system. EPA expected this recommendation to be addressed by its new grants management system (GrantsSolutions), which had been targeted for deployment in March 2020. However, in January 2020, EPA officials told us that EPA had ceased its migration to GrantSolutions after determining the long-term costs were unsustainable and that the system lacked fundamental functionality necessary for core grant operations and to maintain appropriate internal controls. EPA is now migrating towards a modernized grants administration and management cloud solution. EPA expects this recommendation to be addressed when the new grants management system is fully implemented. EPA anticipates deployment of the new cloud solution in December 2020.

Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

Agency: Congress
Status: Open

Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of July 2020, Congress had not granted NCUA this authority.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

Agency: Department of Commerce
Status: Open

Comments: As of January 2020, the Department of Commerce had not implemented this recommendation. In July 2018, the department provided an inventory that shows, by service provider and department component, the number of devices per rate plan and monthly rate; however, the inventory did not include the number of voice minutes, gigabytes of data, and text messages allowed per line per month. Furthermore, the department had not demonstrated that it had accounted for all of its mobile service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Commerce should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Commerce
Status: Open

Comments: As of January 2020, the department had not addressed the recommendation. In July 2018, the department described steps it was taking to identify lines that were inactive for a period of three or more continuous months (zero usage). However, as of January 2020, the department had not demonstrated that it has established documented procedures that address the elements of our recommendation. We will continue to monitor the department's progress.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of Defense
Status: Open

Comments: The Department of Defense partially concurred with our recommendation; however, as of January 2020, the department had not implemented it. In response to our report, the department stated that it agreed that such an inventory has merits, but that maintaining one comes at considerable expense and effort. The department also stated, in 2016, that while it does not maintain a single, centralized device level inventory, the military departments track and manage their own devices and services . As we stated in our report, the inventory need not be generated centrally at the headquarters level; the department can compile a comprehensive inventory using its components' complete inventories. As of January 2020, the department had not demonstrated that all its components had inventories of unique devices and associated services. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Defense should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

Agency: Department of Defense
Status: Open

Comments: The Department of Defense stated that it partially concurred with our recommendation; and has taken steps to address it. However, as of January 2020, the department had not demonstrated that it had implemented the recommendation. In response to our report, the department stated that it agreed that developing an inventory of mobile device contracts has merits, especially in a time of restricted government spending. The department also described several efforts it had undertaken to enhance mobile device management. However, as we stated in our report, any approach to managing mobile device contracts will be hampered by the lack of complete information on the contracts that are already in place. In August 2018, the department developed an inventory of mobile service contracts. However, the department had not demonstrated that the inventory included all its components' mobile service contracts. In August 2019, the department described steps it was taking to ensure that it has a complete inventory of mobile service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Health and Human Services should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Health and Human Services
Status: Open

Comments: As of December 2019, the Department of Health and Human Services had not implemented this recommendation. We will continue to monitor the department's implementation of this recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Homeland Security should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Homeland Security
Status: Open

Comments: In October 2019, the Department of Homeland Security developed an asset and inventory management plan for managing devices under its enterprise blanket purchase agreement. The plan includes procedures for assessing devices for zero usage; however, it does not include procedures for assessing over and under usage. The department also has not demonstrated that it has established procedures for devices not covered by its enterprise blanket purchase agreement.We will continue to monitor the department's efforts.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of the Interior
Status: Open

Comments: The Department of the Interior has not demonstrated that it has fully implemented this recommendation. As of January 2020, the department demonstrated that only one of its components, the Bureau of Reclamation, had an inventory of mobile devices and associated services. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Interior should ensure a reliable department-wide inventory of mobile service contracts is developed and maintained.

Agency: Department of the Interior
Status: Open

Comments: As of January 2020, the Department of the Interior had not demonstrated that it had fully addressed this recommendation. In August 2019, the department developed an inventory of mobile service contracts. However, the department did not demonstrate that it had accounted for all of its mobile service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Attorney General should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Justice
Status: Open

Comments: As of January 2020, the Department of Justice has made progress implementing this recommendation; however, more remains to be done. Specifically, in response to our findings, in April 2015, the department's Chief Information Officer issued a memo that required components to establish procedures for regular reviews of invoices for wireless services to identify unused and underused devices or services, as well as any over-usage charges to service plans. One of the components we reviewed, the Federal Bureau of Investigation, established procedures in July 2016 to monitor mobile device usage. In addition, the Justice Management Division (JMD) established procedures in May 2019 that apply to JMD as well some but not all other components. The other component we reviewed in our report, the Drug Enforcement Agency, had not established procedures that address our recommendation. We will continue to monitor the department's progress.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of State
Status: Open

Comments: As of January 2020, the Department of State had not demonstrated that it has implemented this recommendation. The department has inventories of mobile device; however, the inventories do not include the services associated with each device. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of State should ensure a reliable department-wide inventory of mobile service contracts is maintained.

Agency: Department of State
Status: Open

Comments: As of January 2020, the Department of State had not implemented this recommendation. In June 2019, the department said it has a Telecom Expense Management System which can be used to document an inventory of domestic service contracts; however, the department did not provide the inventory. Furthermore, the department did not demonstrate that it has an inventory of international service contracts. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of Transportation should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of Transportation
Status: Open

Comments: As of January 2020, the Department of Transportation had not addressed the recommendation. In December 2019, an official from the department's Audit Relations and Program Improvement office stated that all the department's telecommunication devices are managed through two programs and that these programs have mechanisms in place to ensure that telecommunications are managed in an effective and efficient manner. However, as of January 2020, the department had not provided evidence to demonstrate that it had implemented the recommendation. We will continue to monitor the department's efforts.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure an inventory of mobile devices and services is established department-wide (i.e., all components' devices and associated services are accounted for).

Agency: Department of the Treasury
Status: Open

Comments: As of January 2020, the Department of the Treasury had not implemented the recommendation. In August 2019, the department stated that it had established enterprise-wide procurement vehicles for mobile devices. However, as of January 2020, the department had not demonstrated that it has an inventory of mobile devices and associated service information. We will continue to monitor the department's progress in implementing this recommendation.

Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a complete inventory of mobile devices and associated services is established.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: As of January 2020, the National Aeronautics and Space Administration (NASA) had not implemented the recommendation. We reported in May 2015, that NASA had an inventory of mobile devices and associated service information which included most, but not all, of the devices used by the agency. In November 2019, NASA's Office of the Chief Information Officer (OCIO) stated that the agency was in the process of enrolling devices in a new mobile device management tool, and that when the approximately 15 percent of devices that are not currently on NASA's new End-User Services Technology contract are brought on the contract, NASA will have a monthly deliverable depicting the services of all mobile devices. We will continue to monitor NASA's implementation of this recommendation.

Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure a reliable inventory of mobile service contracts is developed and maintained.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: As of January 2020, the National Aeronautics and Space Administration (NASA) had not demonstrated that it has implemented the recommendation. NASA's Office of the Chief Information Officer (OCIO) stated that NASA had established, on September 1, 2019, the NASA End-User Services and Technology contract to procure mobile services, but as of November 2019, had not yet included 15 percent of its devices on the new contract. We will continue to monitor NASA's efforts to develop and maintain a mobile services contract inventory as described in our report.

Recommendation: To help the agency effectively manage spending on mobile devices and services, the Administrator of the National Aeronautics and Space Administration should ensure procedures to monitor and control spending are established agency-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: As of January 2020, the National Aeronautics and Space Administration (NASA) had not demonstrated that it had implemented the recommendation. In November 2019, NASA's Office of the Chief Information Officer (OCIO) stated that as part of enterprise mobility service contract deliverables, NASA requires monthly reports to monitor and optimize usage (zero, under, and over). NASA's OCIO also stated that the agency established role-based privileges to monitor and report on this activity agency-wide. However, the agency has not demonstrated that it has established procedures to assess device usage in accordance with our recommendation. We will continue to monitor NASA's implementation of the recommendation.

Recommendation: To help the department effectively manage spending on mobile devices and services, the Secretary of the Treasury should ensure procedures to monitor and control spending are established department-wide. Specifically, ensure that (1) procedures include assessing devices for zero, under, and over usage; (2) personnel with authority and responsibility for performing the procedures are identified; and (3) the specific steps to be taken to perform the process are documented.

Agency: Department of the Treasury
Status: Open

Comments: As of January 2020, the Department of the Treasury had not demonstrated that it has implemented the recommendation. In August 2019, an official from the department's Office of the Chief Information Officer stated that the department was collecting and analyzing information on voice and data utilization. However, as of January 2020, the department had not demonstrated that it had established procedures in accordance with our recommendation. We will continue to monitor the department's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, in August 2017 the Project Management Office finalized guidance for developing cost estimates that generally includes the key practices discussed in our report. However, none of the cost estimates for three key investments fully met the practices associated with a comprehensive estimate. In October 2019, the Library provided evidence of its Monte-Carlo risk assessment process. We are currently assessing whether this process is consistent with the practices found in our Cost Estimating and Assessment Guide. We will continue to evaluate the Library's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, in August 2017 the Project Management Offices finalized guidance for developing schedules that generally includes the key practices discussed in our report. However, none of the schedules for three key investments fully met the practices associated with a well-constructed schedule. In October 2019, the Library provided the schedules that it uses to manage select projects. We are currently reviewing this scheduling documentation to determine the extent to which the Library is implementing its scheduling guidance.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics to require MAIS programs to establish their first acquisition program baseline within 2 years of beginning work on the programs.

Agency: Department of Defense
Status: Open

Comments: As of January 2020, DOD had made limited progress addressing our recommendation for business system programs; however, it had not addressed the recommendation for non-business system programs. Specifically, the department updated its instruction on business systems requirements and acquisition to include, among other things, guidance on establishing baselines against which to measure progress for developing needed business capability. However, the instruction did not explicitly require that a program baseline be established within 2 years. Specifically, according to the instruction, baselines may be established at the program level or at the release level (i.e., for a manageable subset of functionality in support of the business capability), within 2 years after programs have validated a business capability is needed and received approval to conduct solution analysis. If at the program level, the baseline is to be set prior to the development of the first release or deployment. If at the release level, the baseline is to be set prior to the development of each release or deployment. In January 2020, the department also issued interim policy for software-intensive systems. However, while the interim policy requires program managers to develop an acquisition strategy that includes delivering software within one year from the date funds are first obligated to acquire or develop new software capability, the interim policy does not require software-intensive system programs to establish a program baseline within 2 years.

Recommendation: If, in the next authorization for FAA, Congress chooses to mandate that FAA take actions to streamline and reform the agency, Congress may wish to consider requiring FAA to (1) track measures of and (2) report to Congress on the actual results of such efforts.

Agency: Congress
Status: Open

Comments: As of March 2019, Congress has passed several FAA authorization extensions and the FAA Reauthorization Act of 2018 that did not include any actions related to this matter. We will continue to monitor legislation, and when we determine what steps the Congress has taken regarding this matter, we will provide updated information.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and ensure that the executive-level investment review board meets as outlined in its charter, documents criteria for use by the other boards, and distributes its decisions to appropriate stakeholders.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has not provided information demonstrating that the department has addressed this recommendation. HUD reported that it established a new executive-level investment review board (i.e. the Executive Operations Committee) that replaced the board discussed in our report. The department also provide evidence of the board's initial governance activities, including providing criteria to guide board decision-making in January 2017. However, the board has not continued to meet and act in accordance with its charter. In April 2019, HUD reported that it was updating its governance process and charters and stated an intent to ensure that executive-level decision making is clearly defined including when a decision needs to be made, at what level that decision needs to be made, what criteria should be used, and how that decision will be communicated. HUD has not yet provided evidence that the updated governance process and charter have been finalized and implemented.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish and maintain a complete set of governance policies, establish time frames for establishing policies planned but not yet developed, and update key governance documents to reflect changes made to established practices.

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department has taken steps to address this recommendation. In 2015, HUD updated its Project Planning and Management policy. Since that time, the department has developed additional policies (e.g., IT risk management policy), revised policies for the IT management framework and Agile development, and reported that it reviewed OCIO's existing policies in September 2018. In October 2018, HUD provided a copy of the draft of the revisions to its IT Management Framework (dated February 2018) and OCIO reported plans to continue developing and maintaining IT policies for each of the framework's elements and to review policies for currency annually on the anniversary date of the policy. As of March 2019, HUD reported that a central repository had been developed to store, track and monitor policy reviews. GAO is seeking additional evidence from the newly implemented policy review process.

Recommendation: To ensure that HUD fully implements and sustains effective IT governance practices, the Secretary of Housing and Urban Development should direct the Deputy Secretary and the department's Chief Information Officer to place a high priority and fully establish an IT investment selection process that includes (1) articulating how reviews of project proposals are to be conducted; (2) planning how data (including cost estimates) are to be developed and verified and validated; (3) establishing criteria for how cost, schedule, and project risk are to be analyzed; (4) developing procedures for how proposed projects are to be compared to one another in terms of investment size (cost), project longevity (schedule), technical difficulty, project risk, and cost-benefit analysis; and (5) ensuring that final selection decisions made by senior decision makers and governance boards are supported by analysis, consider predefined quantitative measures, and are consistently documented.

Agency: Department of Housing and Urban Development
Status: Open

Comments: HUD has provided information demonstrating that the department has addressed elements of this recommendation. In 2015, HUD reported that it had begun using a new tool to support its IT selection process. In May 2018, the department provided a demonstration of its HUD PLUS tool, including how it had used the tool to automate its selection process. The officials demonstrated how the tool is being used to review proposed projects. They reported that segment sponsors are responsible for validating data submitted but have not provided evidence that the department has developed guidance for that process. The officials demonstrated how the tool supports analysis of investment costs, schedule, and risk. They also demonstrated how the tool helps the Office of the Chief Information Officer compare investments based on cost and showed how decision makers access information and can perform analysis for all projects in the system. Department officials have not yet provided evidence that HUD has improved each of the areas noted in our recommendation. OCIO reported in April 2019 that it intends to: conduct the selection process on a more frequent basis and allow more time for annual budget considerations, improve performance metrics, and further incorporate cost-benefit analysis. OCIO also reported that it intends to better incorporate its management and oversight of the portfolio into a more formal "re-select" process. OCIO also reported that HUD was updating its governance policies to detail the criteria, data, and process used to select investments and targeting action to close this recommendation in 2019.

Recommendation: To establish an enterprise-wide view of cost savings and operational efficiencies generated by investments and governance processes, the Secretary of Housing and Urban Development should direct the Deputy Secretary and Chief Information Officer to place a higher priority on identifying governance-related cost savings and efficiencies and establish and institutionalize a process for identifying and tracking comprehensive, high-quality data on savings and efficiencies resulting from IT investments and the IT governance process.

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The department has taken steps to address this recommendation. Specifically, in April 2016, HUD provided examples of cost savings that the department had identified by "scrubbing" existing contracts during the budget formulation process, along with copies of a template that it designed and used to help identify such savings. In May 2018, department officials provided a demonstration of the HUD PLUS tool, including screens staff could use to report cost savings and avoidances related to specific projects--although they reported that HUD was not yet using that functionality. In April 2019, OCIO reported that HUD was updating its governance process and charters to ensure that executive-level decision making will be clearly defined. OCIO also reported an intent to implement Technology Business Management to, among other things, improve and expand the tracking of investments. HUD expects these two efforts to facilitate better tracking of the savings and efficiencies resulting from IT decisions. The department has not yet provided evidence that it has established guidance supporting a repeatable process for tracking enterprise-wide IT related cost savings and operational efficiencies, including those related to HUD's governance decisions.

Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

Agency: Department of Veterans Affairs
Status: Open

Comments: Veterans Affairs concurred with the recommendation but as of June 2020 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.

Recommendation: To ensure that the Family Caregiver Program is able to meet caregivers' demand for its services, the Secretary of the Department of Veterans Affairs should expedite the process for identifying and implementing an IT system that fully supports the program and will enable VHA program officials to comprehensively monitor the program's workload, including data on the status of applications, appeals, home visits, and the use of other support services, such as respite care.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation and the Veterans Health Administration (VHA) and the Office of Information and Technology (OIT) have been working jointly on projects since 2015 to improve and replace the IT system for the Family Caregiver Program. However, two of these projects were terminated without delivering viable software improvements or a replacement system. According to two independent assessments, these prior efforts lacked both effective leadership and implementation of the processes needed for requirements management. In March 2019, VA began a third project, the Caregiver Record Management Application (CARMA), in which OIT and VHA began to acquire and implement a commercial product to replace the program's existing IT system. In February 2020, VA reported that to support the administrative needs of the Family Caregiver Program it had transitioned from its previous IT system to CARMA, its new IT system, in two stages: 1) In October 2019, VA deployed an initial release of CARMA for data entry of veterans and caregivers newly participating in the program, and 2) On December 2, 2019 the transition of existing veterans and caregivers to CARMA occurred. VA also reported in February 2020 that further enhancements and improvements to CARMA would be released over the coming months. However, the department has not yet fully committed to a date by which it will certify that CARMA fully supports the program. As of July 2020, this recommendation remains open pending further updates.

Recommendation: The Secretary of the Department of Veterans Affairs should direct the Undersecretary for Health to use data from the IT system, once implemented, as well as other relevant data to formally reassess how key aspects of the program are structured and to identify and implement modifications as needed to ensure that the program is functioning as envisioned so that caregivers can receive the services they need in a timely manner.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation. VA transitioned in late 2019 to a new IT system, the Caregiver Record Management Application (CARMA). However, the Department has not yet certified the readiness of CARMA to fully support the needs of the Program of Comprehensive Assistance for Family Caregivers (Family Caregiver Program). Prior to the transition to CARMA, VA had developed manual processes to obtain and monitor key data points, allowing it to reassess policies and procedures for the Family Caregiver Program. In its September 2019 update, VA reported that it anticipates being able to certify the IT system when proposed regulatory changes to enable the expansion of the Family Caregiver Program are finalized and the necessary changes which have an impact on IT are implemented. VA also reported that following certification, IT development will continue on IT requirements that do not directly impact VA's ability to expand the program, such as improving the program's ability to track and report on clinical appeals. As of July 2020, this recommendation remains open pending further updates on how VA plans to use data from the IT system to monitor and assess the program's performance.

Recommendation: To help ensure that it receives accurate information on the full effect of funding decisions on acquisition programs, Congress should consider amending the law that governs the 5-year Capital Investment Plan to require the Coast Guard to submit cost and schedule information that reflects the impact of the annual President's budget request on each acquisition across the portfolio--in addition to the current practice of reporting the cost and schedule estimates in current program baselines.

Agency: Congress
Status: Open

Comments: As of July 2020, Congressional action has not been taken. GAO will continue to follow up with relevant congressional committees.

Recommendation: To help the Coast Guard improve the long-term outlook of its portfolio, the Commandant of the Coast Guard should develop a 20-year fleet modernization plan that identifies all acquisitions needed to maintain the current level of service and the fiscal resources necessary to build the identified assets. The plan should also consider trade-offs if the fiscal resources needed to execute the plan are not consistent with annual budgets.

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: The agency concurred with this recommendation. Since the issuance of GAO's report, in February 2016, Congress directed the Coast Guard to develop a long-term plan to cover fiscal year 2017 and 20 years thereafter and that it should be updated every two years. In November 2017, officials told GAO that the Coast Guard was developing a 20-year long-term plan that specifically focused on the highest priority recapitalization and sustainment efforts for its assets and will focus on meeting the intent of the 2016 congressional mandate. However, as of July 2020, the Coast Guard has not completed this plan. At that time, officials said that the Coast Guard continues to refine the process to define the long term acquisition and capital sustainment needs of the Service and align them with published and anticipated fiscal top line budgets. The Coast Guard is working with internal and external stakeholders to define useful parameters in order to complete work to close this recommendation. GAO will continue to monitor the Coast Guard's actions in completing its long-term plan given that GAO's recent work has found that the Coast Guard continues to pursue an unaffordable acquisition portfolio that is not likely to fully address all known and anticipated capability gaps.

Recommendation: To ensure the effective management of software licenses, the Secretary of Commerce should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Department of Commerce
Status: Open

Comments: In April 2018, the Department of Commerce reported that training will be concurrent with the implementation of the new inventory. It estimates the completion of this to be June 30, 2019. In October 2017, the department reported that they were reaching out to another federal agency to learn about the software license management training they offer to incorporate lessons learned into the Commerce's future training plans. However, as of November 2019, the department has not provided an update on these efforts. GAO will continue to monitor the department's progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Secretary of Transportation should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

Agency: Department of Transportation
Status: Open

Comments: In April 2018, the Department of Transportation stated that it has developed a policy addressing components of centralized management and management of software licenses through the entire life cycle. However, Transportation's Order 1351.21 was issued in June 2009 and has not been updated since our report was issued to include the weaknesses we identified. Specifically, the order identifies the roles and responsibility, and central oversight authority for managing enterprise license agreements and does not specify policy on establishing goals and objectives of the software license management program and considering the software license management life-cycle phases to implement effect decision making and incorporate existing standards, processes, and metrics. We will follow up with the department to obtain evidence of the department-wide implementation of this recommendation.

Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified.

Agency: Environmental Protection Agency
Status: Open

Comments: In April 2018, the Environment Protection Agency reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses, an analysis to inform decision making, education and training goals and overall management throughout the lifecycle. In addition, The Agency stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as its Office of Acquisition Management's consolidation of its Microsoft suite. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Adminitrator of the Environmental Protection Agency should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Environmental Protection Agency
Status: Open

Comments: In April 2018, the Environment Protection Agency reported that it is currently taking steps to develop a comprehensive policy that will address a centralized management program of licenses. In addition, the agency stated that it is still leveraging the efforts of the Continuous Diagnostics and Mitigation project as well as leveraging its Office of Acquisition Management's consolidation of enterprise licenses. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Chairman of the Nuclear Regulatory Commission should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Nuclear Regulatory Commission
Status: Open

Comments: In March 2019, the Nuclear Regulatory Commission reported that the agency's IT asset management program requires training and communication, as appropriate for all key personnel. The agency also reported that on September 19, 2018, personnel associated with software asset management attended relevant training and will also participate in software training is currently being developed by the Office of Management and Budget, the Federal Acquisition Institute and the Defense Acquisition University. We will follow up with the agency to obtain supporting documents and continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should develop an agency-wide comprehensive policy for the management of software licenses that addresses the weaknesses we identified

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management concurred with this recommendation and in September 2015, reported that it had developed a guide to capture enterprise architecture lifecycle activities including software licensing management, acquisition, and requirements during several points of the project lifecycle. In April 2018, the office reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 reported that it is finalizing a revised Life Cycle Management draft policy which will use stage gate reviews to evaluate the progress of projects including software licenses throughout the agency. According to OPM, once the new policy is approved, OPM subject matter experts will review project documentation during stage gates reviews to make written recommendations on whether projects should continue. OPM's Investment Review Board will then review that recommendation and other procurement documentation to make a final recommendation to the OPM Director. In April 2018, OPM reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We plan to continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. OPM also reported that it is assembling and performing quality reviews on hardware and software lists currently maintained in spreadsheets, in its enterprise architecture systems database, and Remedy database in order to consolidate the entire hardware and software asset inventory. In April 2018, OPM reported they have no changes to the status of this recommendation, but expect substantive updates later this year. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with this recommendation and in September 2015 OPM reported that it acquired an enterprise architecture repository tool and is collecting information on its software applications. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision making.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management (OPM) concurred with our recommendations and noted actions the agency plans to take. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure the effective management of software licenses, the Director of the Office of Personnel Management should provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Agency: Office of Personnel Management
Status: Open

Comments: The Office of Personnel Management concurred with our recommendations and noted actions the agency plans to take. In April 2018, OPM reported they have no changes to the status of this recommendation. We will continue to monitor its progress in implementing this recommendation.

Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to define the scope, implementation strategy, and schedule of its overall modernization approach, with related goals and measures for effectively overseeing the effort.

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: In July 2018, the Office of the Chief Information Officer (OCIO) reported that the goal of the Chief Technology Officer's technical assessment of HUD's IT environment was to identify gaps and develop an implementation strategy and approach to establish a modernization roadmap. As of March 2020, OCIO reported that it had completed the technical assessment to identify gaps in IT. The department has also taken action to define an overall modernization approach, including the scope, implementation strategy, and schedule for modernizing its IT environment and systems. However, as of March 2020, HUD had not yet established measures for overseeing its modernization efforts.

Recommendation: To improve the implementation of the act, the Secretary of Agriculture should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

Agency: Department of Agriculture
Status: Open

Comments: Although department officials have stated that they plan to take actions to address this recommendation, as of July 2019 we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred.

Recommendation: To improve the implementation of the act, the Secretary of Labor should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

Agency: Department of Labor
Status: Open

Comments: Although department officials have stated that they are taking actions to address this recommendation, as of August 2020, we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred.

Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

Agency: Department of Labor
Status: Open

Comments: Although department officials have stated that they are taking actions to address this recommendation, as of August 2020, we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred.

Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

Agency: Department of Labor
Status: Open

Comments: Although department officials have stated that they are taking actions to address this recommendation, as of August 2020, we have not yet received information to validate agency actions. Subsequent to the agency sending documentation, we plan to verify whether implementation has occurred