Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Centers for Medicare and Medicaid Services should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: HHS, on behalf of CMS, did not concur with this recommendation. In its February 2020 response to GAO, HHS stated that current NIST guidance to agencies was insufficient and that CMS would look forward to future guidance from NIST and OMB to help guide consideration of non-knowledge-based verification options. We continue to believe that our recommendation is valid because a variety of alternative methods to knowledge-based verification are available that CMS can consider to address the diverse population it serves. Further, NIST has agreed with our recommendation to develop additional guidance for agencies, and CMS may be able to use that guidance to identify a verification approach that does not really on knowledge-based techniques. We will continue to monitor the actions CMS may take to address the recommendation.

Recommendation: The Secretary of the Department of Veterans Affairs should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques. (Recommendation 6)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA agreed with our recommendation. To fully implement this recommendation, VA needs to develop a plan with milestones to document the results of their evaluation of the alternatives the department stated it is interested in pursuing.

Recommendation: Congress should consider providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: No action has been taken on this matter as of December 2019.

Recommendation: The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said that it agreed with the intent of the recommendation, but did not agree to implement it, citing the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file. IRS reported that to effectively establish data safeguarding policies and implement strategies enforcing compliance with those policies, a centralized leadership structure requires the statutory authority that clearly communicates the authority of the IRS to do so. Without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources, according to IRS. We disagree that convening a governance structure or other centralized form of leadership would require additional statutory authority or be inefficient, ineffective, and costly. As discussed in the report, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination, such as updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports.

Recommendation: The Commissioner of Internal Revenue should modify the Authorized e-file Provider program's requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with this recommendation and would update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include security elements that are consistent with the FTC Safeguards Rule. IRS plans to update the publication by November 2020.

Recommendation: The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, IRS does not plan to implement it without additional statutory authority to require Authorized e-file Provider Program participants to comply with the NIST Special Publication 800-53. We continue to believe that under IRS's existing authority, IRS has already established some information security requirements for a portion of tax software providers, those that are online providers. IRS has the opportunity to further establish standards for all tax software providers by incorporating the subset of NIST controls into its Authorized e-file Provider program, which would capitalize on the work it has completed with the Security Summit members.

Recommendation: The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it will update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, with a formal memorandum to all internal stakeholders during the annual review process. IRS plans to take this action by November 2020.

Recommendation: The Commissioner of Internal Revenue should update IRS's monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, it does not plan to implement it. IRS reported it does not have the statutory authority to establish policy on information security and cybersecurity issues, nor to enforce compliance if noncompliance is observed. Additionally, IRS said that the specialized technical skills required to monitor compliance with information and cybersecurity standards, should statutory authority be granted, would require additional funding to meet those monitoring needs. However, as we reported, IRS already monitors physical aspects of information security, which goes beyond existing Authorized e-file Provider program requirements. Since most individuals now file tax returns electronically, having checks for physical security without comparable checks for cybersecurity does not address current risks, as cyber criminals and fraudsters are increasingly attacking third-party providers, as IRS has noted. We believe that incorporating some basic cybersecurity monitoring into the visits would provide IRS the opportunity to help inform the most vulnerable third-party providers of additional guidance and resources.

Recommendation: The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS's Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with the intent of this recommendation; however it does not plan to implement it. IRS stated that absent statutory authority and funding, an assessment of the different monitoring approaches is moot. We disagree with this conclusion. As discussed in the report, IRS does not systematically monitor the existing security requirements for online providers, nor does it conduct information security or cybersecurity monitoring for all types of Authorized e-file Providers. We believe that IRS could conduct a risk assessment of its current monitoring program within existing statutory authority and make necessary changes that would provide better assurance that all types of providers are receiving some level of oversight and that IRS is addressing the greatest risk areas appropriately.

Recommendation: The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it would develop a standardized process for all Authorized e-file Providers to report security incidents to IRS. IRS said it plans to update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include this standardized process by November 2020.

Recommendation: The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS agreed with this recommendation. In November 2019, IRS said it agreed with this recommendation with respect to the formal process for tax professionals to report data breaches to the IRS through the Stakeholder Liaison function within the Communications and Liaison organization. According to IRS, procedures are documented in the Data Breach Incident Reporting Instructions that are followed during the intake process. IRS said that upon completion, the breach information is disseminated to other offices within the IRS, depending on the nature of the breach incident reported. According to IRS, all 2018 and 2019 Tax Pro Data Breach incidents remain stored in the Data Breach module of the Return Preparer Database. We will follow up to confirm the information IRS described and determine if these procedures cover all of the IRS offices included in our report.

Recommendation: The Director of CFPB should identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold. (Recommendation 1)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they have reviewed state CRA registration information available to them, are working to obtain additional state registration information, and are exploring additional ways to leverage the information. GAO will continue to monitor CFPB's progress in leveraging additional sources of information that would help identify larger participant CRAs.

Recommendation: The Director of CFPB should assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks. (Recommendation 2)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they were assessing whether, and if so, how and when, to incorporate data security risks into their supervisory prioritization. As part of that evaluation, CFPB is assessing whether those processes should incorporate data security risks CRAs pose to consumers in light of the agency's statutory authorities, supervisory responsibilities, and resources. GAO will continue monitoring CFPB's assessment of prioritization of CRA data security risks.

Recommendation: Congress should consider providing the Federal Trade Commission with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: As of July 2020, Congress has not passed legislation to provide FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act.

Recommendation: Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment. Issues that should be considered include: (1) which agency or agencies should oversee Internet privacy; (2) what authorities an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority; and (3) how to balance consumers' need for Internet privacy with industry's ability to provide services and innovate.

Agency: Congress
Status: Open

Comments: When we confirm what actions Congress has taken in response to this recommendation, we will provide updated information

Recommendation: The Secretary of DHS should direct the appropriate staff to work with OMB to follow up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS provided evidence in December 2019 but it was insufficient to close this recommendation. We will continue to follow-up with DHS.

Recommendation: The Director of OMB should submit the intrusion assessment plan to the appropriate congressional committees. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should report on implementation of the defense-in-depth strategy described in the intrusion assessment plan, including all elements described in the plan. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should update the analysis of agencies' intrusion detection and prevention capabilities to include the degree to which agencies are using NCPS. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to update her report to Congress to include required information, such as detecting advanced persistent threats, a comparison of the costs and benefits of the capabilities versus commercial technologies and tools, and the capability of agencies to protect sensitive cyber threat indicators and defense measures. (Recommendation 6)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to work with DHS to follow-up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 9)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Secretary of Education should enroll loan servicers in FSA's continuous monitoring program and, in the interim, require these entities to report the results of security controls testing at an FSA-defined frequency. (Recommendation 1)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and the agency stated that loan servicers are scheduled to be enrolled in its ongoing security authorization program beginning in fiscal year 2019. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should enroll private collection agencies in FSA's continuous monitoring program, and, in the interim, require these entities to test all controls at an FSA-defined frequency and regularly report the results. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: FSA stated that it concurred with this recommendation, but the actions it said it planned to take would not fully address it. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should modify FSA's agreements with guaranty agencies to specify a required baseline of security controls based on the impact level of the information shared with these agencies, as determined by FSA. (Recommendation 3)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and described planned actions to address it. In November 2019, FSA officials told us that this recommendation has a pending date of 5/31/2020 for completion When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should establish a process for continuous monitoring of guaranty agencies' implementation of security and privacy requirements between on-site assessments, to include testing all controls at an FSA-defined frequency and regularly reporting results. (Recommendation 4)

Agency: Department of Education
Status: Open

Comments: FSA partially concurred with this recommendation and described actions it planned to take in response. However, we believe the entire recommendation is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should include specific security and privacy requirements in agreements with the Federal Family Education Loan (FFEL) Program lenders based on FSA's categorization of the information shared with the lenders. (Recommendation 5)

Agency: Department of Education
Status: Open

Comments: FSA stated that it partially agreed with this recommendation; however, if effectively implemented, the planned actions it described would address this recommendation. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should develop policies and procedures to gain assurance that FFEL lenders have appropriate security and privacy controls in place and that these controls are being regularly tested and monitored. (Recommendation 6)

Agency: Department of Education
Status: Open

Comments: FSA did not concur with this recommendation. However, we believe it is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the American Battle Monuments Commission should designate a chief FOIA officer at the assistant secretary level or equivalent. (Recommendation 1)

Agency: American Battle Monuments Commission
Status: Open

Comments: American Battle Monument Commission (ABMC) officials stated they are working to implement GAO's recommendations by the end of fiscal year 2020.

Recommendation: The Secretary of the American Battle Monuments Commission should update and publish comprehensive FOIA regulations that include requirements established by law and Justice guidance. (Recommendation 2)

Agency: American Battle Monuments Commission
Status: Open

Comments: American Battle Monument Commission (ABMC) officials stated they are working to implement GAO's recommendations. On February 18, 2020, ABMC published proposed revised FOIA regulations which are pending final rule in the Federal Register.

Recommendation: The Chief Executive Officer and Director of the Broadcasting Board of Governors should update and publish comprehensive FOIA regulations that include requirements established by law and Justice guidance. (Recommendation 3)

Agency: U.S. Agency for Global Media
Status: Open

Comments: The U.S. Agency for Global Media (formally known as the Broadcasting Board of Governors) performed a comprehensive review of its FOIA regulations and updated its regulations in accordance with GAO's recommendation. The agency anticipates publishing proposed updates for notice and comment in spring 2020, followed by a final rule.

Recommendation: The Secretary of DHS should take steps to develop and document a plan that fully addresses best practices with regards to reduction of backlogged FOIA requests. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: In April 2018, the Department of Homeland Security initiated a department-wide compliance assessment and stated that it plans to use the results of the assessment to help guide the department in identifying best practices and areas of improvement. The department does not have an estimate for when the plan will be complete.

Recommendation: The Secretary of DOI should take steps to develop and document a plan that fully addresses best practices with regards to reduction of backlogged FOIA requests. (Recommendation 7)

Agency: Department of the Interior
Status: Open

Comments: In August 2018, the Department of Interior informed GAO that the department has created a preliminary backlog reduction plan that includes expanding the use of automation tools, expanding the use of interim responses, and closing the Department's 10 oldest requests. Currently, GAO is awaiting a copy of the Department's backlog reduction plan.

Recommendation: The Chair of EEOC should designate a chief FOIA officer at the assistant secretary level or equivalent. (Recommendation 8)

Agency: Equal Employment Opportunity Commission
Status: Open

Comments: GAO is currently awaiting the agency's response to GAO recommendations..

Recommendation: The Chair of EEOC should take steps to develop and document a plan that fully addresses best practices with regards to reduction of backlogged FOIA requests. (Recommendation 9)

Agency: Equal Employment Opportunity Commission
Status: Open

Comments: GAO is currently awaiting the agency's response to GAO recommendations.

Recommendation: The Attorney General of the United States should take steps to develop and document a plan that fully addresses best practices with regards to reduction of backlogged FOIA requests. (Recommendation 11)

Agency: Department of Justice
Status: Open

Comments: In August 2018, the Department of Justice acknowledged that it plans to reexamine its progress and take steps for continued improvement in reducing its backlog. Currently, GAO is awaiting a response from the Department on a publication date.

Recommendation: The Administrator of NASA should provide agency records of final opinions online. (Recommendation 14)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: In August 2018, NASA agreed to provide agency records of final opinions online. NASA noted that final opinions will be provided online as they are issued and released for public posting. To date, the Department has not posted any final opinions.

Recommendation: The Chairman of NTSB should take steps to develop and document a plan that fully addresses best practices with regards to reduction of backlogged FOIA requests. (Recommendation 16)

Agency: National Transportation Safety Board
Status: Open

Comments: In August 2018, NTSB provided a plan that laid out tasks for reducing its backlog. The plan did not, however provide milestones or dates for when these tasks would be completed. GAO is currently waiting for the finalized backlog FOIA plan.

Recommendation: The Director of OMB should designate a chief FOIA officer at the assistant secretary level or equivalent. (Recommendation 18)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: GAO is currently awaiting the agency's response to GAO recommendations.

Recommendation: The Director of Pension Benefit Guaranty Corporation should designate a chief FOIA officer at the assistant secretary level or equivalent. (Recommendation 19)

Agency: Pension Benefit Guaranty Corporation
Status: Open

Comments: The Pension Benefit Guaranty Corporation stated that it has designated the deputy director as the chief FOIA officer. It also noted that the director is at the Senior Level. However, this position is not equivalent to the assistant secretary level identified by GAO.

Recommendation: The President of TVA should ensure its FOIA tracking system is compliant with section 508 requirements. (Recommendation 22)

Agency: Tennessee Valley Authority
Status: Open

Comments: In August 2018, TVA provided a response to GAO's recommendation to ensure their FOIA tracking systems is compliant with section 508 requirements. TVA is currently performing an in-depth assessment of their tracking system to identify where updates can be made to ensure 508 compliance. TVA expects the assessment to be completed by the end of January 2020.

Recommendation: The President of the U.S. African Development Foundation should update and publish comprehensive FOIA regulations that inform a requester of limited unusual circumstances fees. (Recommendation 24)

Agency: African Development Foundation
Status: Open

Comments: U.S. African Development Foundation officials have stated that their FOIA regulations are currently under review and expect them to be published in the first half of calendar year 2020.

Recommendation: Based on the estimates developed in Recommendation 1, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementation documents for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority for IRS leadership. However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends to update its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS's continued attention to this action will help ensure that in-progress authentication initiatives are prioritized and completed.

Recommendation: The Commissioner of Internal Revenue should establish a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication. This policy should include, for example, the frequency of assessments to be performed and timeframes for addressing deficiencies. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials had developed a draft policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication, as we recommended. IRS officials stated that once this policy is approved, it will be used to develop a plan to perform risk assessments for these authentication channels. IRS's continued attention to this recommendation will help ensure that it is aware of emerging threats to the tax environment.

Recommendation: Consistent with the policy developed in Recommendation 3, the Commissioner of Internal Revenue should direct the Identity Assurance Office and IRS business owners to develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that they will develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication by May 2020. Until IRS develops and implements this plan, these authentication channels may be more vulnerable to fraudulent activity, including unauthorized attempts to access taxpayer information.

Recommendation: The Commissioner of Internal Revenue should establish a mechanism to collect data on outcomes for telephone, in-person, and correspondence authentication, consistent with federal standards for internal control. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that the agency intends to implement this recommendation by spring 2020. Officials noted that developing a systemic solution for collecting data on all authentication outcomes is complex and involves multiple IRS business divisions. Until IRS fully addresses this recommendation, it will have limited insight into the number of taxpayers who fail authentication and the reason for failure.

Recommendation: The Commissioner of Internal Revenue should revise or establish, as appropriate, procedures to ensure data quality in the Account Management Services (AMS) consistent with federal standards for internal control. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS stated that it has planned enhancements to its authentication data collection procedures in AMS. Officials stated that by June 2020, they intend to implement improvements for ensuring data quality of authentication outcomes. Until IRS fully implements our recommendation, it will be limited in conducting systematic data analysis on taxpayer authentication outcomes.

Recommendation: The Commissioner of Internal Revenue should ensure that IRS business units have access to complete AMS data to monitor authentication performance and identify potential issues. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials told us that IRS has explored options that will allow the agency to more effectively record, track, and monitor authentication outcomes. IRS officials said that they are developing and testing a tool to document Taxpayer Protection Program interactions, outcomes of taxpayer authentication, and the reasons for authentication failures. Officials stated that IRS plans to have this tool implemented by spring 2020, one year later than originally planned. Officials stated that the delay is due to additional technical programming to fully develop the tool. We will follow up on IRS's actions to determine the extent to which they implement our recommendation.

Recommendation: The Commissioner of Internal Revenue should direct the Identity Assurance Office and other appropriate business partners to develop a plan--including a timeline, milestone dates, and resources needed--for implementing changes to its online authentication programs consistent with new NIST guidance. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to implement this recommendation. Efforts include developing plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials told us that they plan to work with external partners to perform additional testing on its new authentication platform this year, including a usability study to understand user experience. IRS officials also stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. IRS's timely implementation of NIST's guidance is critical to help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: In accordance with the plan developed in Recommendation 8, the Commissioner of Internal Revenue should implement improvements to IRS's systems to fully implement NIST's new guidance. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to develop plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. As noted in our report, IRS's timely implementation of NIST's new guidance is critical, as it can help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects to finalize the process in spring 2020. IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: Based on the approach developed in Recommendation 10, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentation states that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: The Acting Commissioner of Internal Revenue should assess options for improving enforcement of late W-2 filing penalties, for example, by mailing notices before the next filing deadline. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of October 2019, IRS continues to disagree with this recommendation. IRS stated that it does not have all the information required for calculating and sending late penalty notifications prior to the beginning of the next filing season. However, in its response, IRS did not consider other options that could be available prior to finalizing penalty calculations, such as communicating with the employers earlier in the process. As noted in our report, quickly responding to employers that filed late increases the potential for compliance, thereby increasing the availability of W-2 data for systemic verification to detect and prevent fraud and noncompliance. We continue to believe that assessing the options for improving enforcement of late W-2 filing penalties, such as through earlier communication, would help IRS identify potential opportunities to encourage compliance with the W-2 filing deadline and verify more wage information before releasing refunds. We will continue to discuss options with IRS regarding this recommendation.

Recommendation: The Acting Commissioner of Internal Revenue should develop an evaluation plan to fully assess the benefits and costs, including taxpayer burden, of modifying the February 15 refund hold, and determine how this effort informs IRS's overall compliance strategy for refundable tax credits and fraud risk management. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has assessed the benefits of modifying the refund hold, but it has not assessed the costs, as GAO recommended in January 2018. In November 2018, IRS provided its assessment of the February 15 refund hold. In it, IRS reiterated its findings regarding the benefits of the refund hold. These benefits included potential savings if IRS modified the hold to include all taxpayers, extended the hold to a later date when more W-2 data are available, or made both changes. However, IRS did not include any assessment of costs to achieve these potential savings, such as the costs for IRS to review any additional returns that would be identified under a modified refund hold. It did not assess taxpayer burden, either. IRS also did not determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. In January 2019, IRS took actions to hold more returns beyond the February 15 refund hold date using a risk-based selection method. Nevertheless, without a complete assessment of the benefits and costs, including taxpayer burden, IRS is making a decision based upon incomplete information. Further, if Congress or Treasury considered making any changes, they too would have incomplete information on which to direct IRS's actions.

Recommendation: Based on the benefits and costs assessment in Recommendation 3, the Acting Commissioner of Internal Revenue should use IRS's existing authority to modify the refund hold such that it minimizes the risk of releasing fraudulent or noncompliant refunds. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has taken actions consistent with our recommendations by modifying its filters to hold more returns claiming the Earned Income Tax Credit (EITC) or Additional Child Tax Credit (ACTC) beyond the February 15 refund hold date based on a risk-based selection method. In addition, in May 2019, IRS officials told us they are making similar changes for the 2020 filing season to hold more high-risk returns not claiming EITC or ACTC until W-2 data are available. This action, if taken, would be consistent with our recommendations. In 2018, IRS assessed the benefits of modifying the refund hold, however, it did not assess or document the costs, including taxpayer burden, or determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. Completing these actions, along with the planned modifications, would fully address our recommendations, which would enable IRS to make decisions based on completed information.

Recommendation: The Acting Commissioner of Internal Revenue should assess the benefits and costs of additional uses and applications of W-2 data for pre-refund compliance checks, such as addressing underreporting, employment fraud, and other fraud or noncompliance before issuing refunds. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided results for a pilot encouraging voluntary compliance through expanded systemic verification using W-2 data. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. If IRS determines that the benefits outweigh the costs of adopting this practice based on the pilot results, or assesses additional options to address other fraud and noncompliance before issuing refunds, it would satisfy our recommendation. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: Based on the assessment in Recommendation 5, the Acting Commissioner of Internal Revenue should implement any identified changes to improve pre-refund compliance checks. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided an evaluation of a pilot it conducted during tax year 2019. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. IRS told us they intend to continue the pilot during tax year 2020. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the Information Sharing and Analysis Center (ISAC) pilot better aligns with leading practices for effective pilot design. This should include (1) establishing criteria for assessing whether the pilot's objectives have been met before making decisions about its scalability and whether, how, and when to when to proceed to full implementation; and (2) developing a data analysis plan that identifies data sources and criteria necessary for effectively evaluating the pilot. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS transitioned the Information Sharing and Analysis Center (ISAC) from a pilot to full implementation in October 2018. As of June 2020, we have requested documentation from IRS related to this transition to determine if it is consistent with the recommendation to align with leading practices. We will continue to monitor ISAC activities.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the ISAC Partnership develops an outreach plan to expand membership and improve states' and industry partners' understanding of the ISAC's benefits. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The ISAC annual report released in April 2018 cites plans to continue to grow member participation from private sector and other government agencies and to provide opportunities to deepen members' participation with clear guidelines. As of June 2020, we have requested additional information about participation levels and ongoing outreach efforts. Developing an outreach plan to broaden membership to non-Security Summit members of industry and financial institutions would further promote stakeholders collaborating and sharing fraud information.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially concurred with the recommendation. OPM has improved its POA&M management system. Using this system, the agency provided, on 08-27-19, milestones showing timely validation of evidence for closing one US-CERT recommendation. However, OPM has not provided support showing timely validation of 16 other US-CERT recommendations that it has closed. OPM needs to provide evidence of timely validation of these 16 completed recommendations, or evidence for the two US-CERT recommendations that remain open, once these two have been closed and validated. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with the recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop role-based training requirements for its continuous monitoring program, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to issue role-based training requirements for individuals who configure and maintain the deployed continuous diagnostics and mitigation tools. As of March 2020, OPM has not yet provided evidence of taking such actions.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: In the event that Congress again requires an agency to provide affected individuals with identity theft insurance in response to a breach of sensitive personal data, Congress should consider permitting the agency to determine the appropriate level of that insurance.

Agency: Congress
Status: Open

Comments: As of July 2020, Congress had not enacted legislation for which our Matter for Congressional Consideration would be applicable.

Recommendation: The Director of the Office of Management and Budget should, to the extent feasible, conduct an analysis of the effectiveness of the various identity theft services relative to alternatives, and revise OMB's guidance to federal agencies in light of this analysis.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As we reported in GAO-19-230, we contacted OMB several times between May 2018 and early March 2019 to update the status of this recommendation, and again in July 2020, but as of July 2020, OMB had not responded with an update.

Recommendation: The Director of the Office of Management and Budget should explore options to address the risk of duplication in federal agencies' provision of identity theft services in response to data breaches, and take action if viable options are identified.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: No executive action identified. As of July 2020, OMB had not responded to GAO's request for an update.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should develop metrics for assessing adherence to applicable principles in carrying out statutorily required functions.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all eleven functions, DHS has measures that evaluate compliance with five (1, 2, 5, 6, 7) of the nine principles and considered whether measures and applicability were appropriate for the other four principles. In February 2020, DHS stated that it does not measure any functions' adherence with principle #8 related to safeguarding against unauthorized access or #9 regarding compliance with policies, regulations, and laws related to privacy and civil liberties. Specifically, the agency stated these two principles are a steady state consideration across all mission areas and functions and have no associated identified measure. For the remaining two principles, DHS did not provide measures that were related to prioritizing activities based on level of risk (#3) or ensuring that appropriate consideration of coordination with subject matter experts from industry, academia, and national labs (#4). As such, DHS does not have appropriate means for assessing the eleven functions against those two principles. However, in March 2020, DHS stated that the metrics for 2020 were different than those in 2019. Officials are in the process of creating a mapping between the previously provided metrics and those for 2020. We will review this mapping and determine if the aforementioned is still applicable with the new metrics.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish methods for monitoring the implementation of cybersecurity functions against the principles on an ongoing basis.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: For all 11 functions, DHS stated they have a means of evaluating compliance with five (1, 2, 5, 6, 7) of the nine principles. Once DHS provides specific evidence of data tracked in support of the aforementioned compliance measures, we will review to determine if they have closed this recommendation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should integrate information related to security incidents to provide management with more complete information about NCCIC operations.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2018, DHS invited GAO to observe a vendor's demonstration of the anticipated Unified Workflow Solution (UWS) that officials stated could support closure of this recommendation, when implemented. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should determine the necessity of reducing, consolidating, or modifying the points of entry used to communicate with NCCIC to better ensure that all incident tickets are logged appropriately.

Agency: Department of Homeland Security
Status: Open

Comments: In March 2019, DHS said that they will provide GAO with a list of the entry points into the NCCIC service desk as well as the standard operating procedures (SOP) and process for quality assurance and quality control. Additionally, the development of the NCCIC Unified Workflow Solution (UWS) could impact this recommendation as well. In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should take steps to ensure the full representation of the owners and operators of the nation's most critical cyber-dependent infrastructure assets.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019, DHS stated that while no alerts or advisories are sent only to Section 9 entities, they do have various forms and mechanisms that Section 9 entities receive cybersecurity information: through HSIN Communities of Interest, the CISCP program, the applicable Sector Specific Agencies, and the applicable Section Information Sharing and Analysis Centers. Further analysis of the membership of the aforementioned forums and mechanisms is needed to determine the extent of Section 9 representation.

Recommendation: To more fully address the requirements identified in the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015, the Secretary of the Department of Homeland Security should establish plans and time frames for consolidating or integrating the legacy networks used by NCCIC analysts to reduce the need for manual data entry.

Agency: Department of Homeland Security
Status: Open

Comments: In November 2019 DHS stated that the legacy Help Desk and operational activity tracking tools continue to be assessed and requirements identified for configuration into the Unified Workflow Solution (UWS). In February 2020, DHS stated that their planning and design efforts are ongoing and are on track for deployment of a Minimal Viable Product in April 2020. Once DHS has developed and implemented the UWS, we will review their efforts to determine the extent to which the agency has integrated information related to security incidents.

Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2020, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.

Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of Defense
Status: Open

Comments: In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation and is taking steps to implement it. The department stated that the issuance of an updated Cyber Incident Handling guidance is on track to be completed and coordinated in the third quarter of fiscal year 2018. As of June 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. When we confirm what actions DOD has taken, we will provide updated information.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with this recommendation. However, as of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. When we receive additional evidence from State, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. As of June 2020, NASA stated that the agency is working to update the relevant policy to address this recommendation, but the update is taking longer than expected; NASA expects the policy to be updated and the review process to be completed by November 30, 2020. We will examine the evidence when NASA provides it.

Recommendation: The Acting Commissioner of the Internal Revenue Service should direct appropriate officials to develop a long-term strategy to improve web services provided to taxpayers, in accordance with Howto.gov and other federal guidance outlined in our report. To accomplish this, the IRS should establish a numerical or other measureable goal to improve taxpayer satisfaction and a timeframe for achieving it.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS has made progress in improving its online services strategy, as we recommended, but as of February 2020, IRS has not yet completed its efforts. IRS's strategy has evolved from a singular focus on on-line services to a more comprehensive strategy of taxpayer interaction through all service channels. In February 2016, IRS announced an agency-wide Future State Initiative, which in part, aims to deliver service improvements across different taxpayer interactions such as individual online accounts assistance, exams, and collections. In July 2016, the official responsible for IRS's on-line office reported that the agency is working towards developing an overall customer service satisfaction goal as part of the IRS Future State Initiative. The official said that this goal is broadly meant to cover various ways the public interacts with IRS, including web, phone, correspondence and walk in. In November 2016, IRS provided documentation on the goals of the Future State Initiative. However, this documentation does not include specific numerical targets for the performance measures that IRS expects to achieve for each goal or a timeline to achieve those goals. IRS officials stated they will incorporate a customer service satisfaction goal in its upcoming strategic plan. IRS released the Fiscal Year 2018-2022 Strategic Plan, however a numerical or other measureable goal to improve taxpayer satisfaction with the website was not included in it. We are currently following up with IRS to determine their next steps.