Recommendation: To achieve a better understanding of the effect of certain Personal care services (PCS) services on beneficiaries and a more consistent administration of policies and procedures across PCS programs, the Acting Administrator of CMS should collect and analyze states' required information on the impact of the Participant-Directed Option and Community First Choice programs on the health and welfare of beneficiaries as well as the state quality measures for the Participant-Directed Option and Community First Choice programs.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: The Centers for Medicare & Medicaid Services (CMS) concurred with GAO's recommendation. On December 30, 2016, the agency issued guidance on the Community First Choice program to assist states in submitting information to CMS on the health and welfare of beneficiaries. In March 2019, CMS officials stated that the agency is currently developing the process for states to report this information to CMS. Agency officials also stated they are exploring the value of collecting this information for the Participant-Directed Option program given the limited number of states currently operating under this authority. In February 2020, CMS officials stated that the agency continues to develop policy related to this recommendation.

Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2020, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.

Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of Defense
Status: Open

Comments: In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation and is taking steps to implement it. The department stated that the issuance of an updated Cyber Incident Handling guidance is on track to be completed and coordinated in the third quarter of fiscal year 2018. As of June 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. When we confirm what actions DOD has taken, we will provide updated information.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with this recommendation. However, as of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. When we receive additional evidence from State, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.

Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. As of June 2020, NASA stated that the agency is working to update the relevant policy to address this recommendation, but the update is taking longer than expected; NASA expects the policy to be updated and the review process to be completed by November 30, 2020. We will examine the evidence when NASA provides it.

Recommendation: In light of the need for accurate and complete information on children's access to health services under Medicaid and CHIP, the requirement that states report information to CMS on certain aspects of their Medicaid and CHIP programs, and problems with accuracy and completeness in this state reporting, the Administrator of CMS should work with states to identify additional improvements that could be made to the CMS 416 and CHIP annual reports, including options for reporting on the receipt of services separately for children in managed care and fee-for-service delivery models, while minimizing reporting burden, and for capturing information on the CMS 416 relating to children's receipt of treatment services for which they are referred.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: In August 2019, CMS stated that the agency's long-term plan is to use the Transformed Medicaid Statistical Information System (T-MSIS) to analyze information on children's receipt of Early and Periodic Screening, Diagnostic and Treatment (EPSDT) services. As of June 2020, CMS had developed a new CMS-416 reporting form that gives states the option of having CMS calculate the measures for the report using T-MSIS. CMS stated that it intends to implement this option for states for fiscal year 2020 CMS-416 reports, which are due in April 2021. As of August 2020, the new CMS-416 form was undergoing Paperwork Reduction Act review. CMS is also exploring using T-MSIS to generate the Core Set of Children's Health Care Quality Measures for Medicaid and CHIP, some of which are included in the CHIP annual report. As of June 2020, CMS had begun a pilot test to generate five of the Core Set measures using 2018 T-MSIS data. GAO considers this recommendation open and will continue to monitor CMS's progress towards its long-term goal of using T-MSIS to monitor children's receipt of EPSDT services.

Recommendation: To help ensure that FDA's overseas offices are able to fully meet their mission of helping to ensure the safety of imported products, the Commissioner of FDA should ensure, as it completes its strategic planning process for the overseas offices, that it develops a set of performance goals and measures that can be used to demonstrate overseas office contributions to long-term outcomes related to the regulation of imported products and that overseas office activities are coordinated with the centers and Office of Regulatory Affairs (ORA).

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: In June and July 2018 FDA reported on its recent efforts to assess the effectiveness of the foreign offices' contributions to drug-safety related outcomes. Among other things, the agency developed new performance measures for these offices along with a monitoring and evaluation plan and conducted an assessment of the foreign offices to help set their objectives and ensure the right balance of personnel, skillsets, and resources. However, FDA still had to develop intermediate outcomes to link with final outcomes. In August 2020, the agency indicated that because of a reorganization and strategic planning effort for its Office of Global Policy and Strategy, it was still revising and updating its measures and its approach to evaluating impact in 2020 to align with a five-year strategic plan completed in March 2020. The agency indicated that the recommendation should remain open, and GAO will continue to monitor the implementation of this recommendation.

Recommendation: To help DOD obtain reasonable assurance that all active and Reserve component servicemembers to whom the PDHRA requirement applies are provided the opportunity to have their health concerns identified, the Assistant Secretary of Defense for Health Affairs and the military services should take steps to ensure that PDHRA questionnaires are included in DOD's central repository for each of these servicemembers.

Agency: Department of Defense
Status: Open

Comments: In its comments to this report, the Department of Defense (DOD) concurred with this recommendation. On October 2009, DOD's Force Health Protection and Response Office sent a memo to each of the military service Surgeons General emphasizing the need for the post-deployment health reassessment (PDHRA) to be offered to all service members who are eligible to complete the assessment. In 2010, DOD's noted that the services would work with the Armed Forces Health Surveillance Center (AFHSC) repository to ensure PDHRAs are submitted correctly, without transmission errors. DOD's 2011 case records showed that the Air Force and Army had developed data verification processes to ensure that AFHSC received PDHRAs. Further, the Defense Medical Data Center (DMDC) had planed to create a file consisting of the date of deployment for deployed personnel, and that the file would be available to the services in order to match DMDC with data from each of the service-specific systems, in accordance to requirements. In September 2011, although DMDC and the services had agreed to match rosters of deployed service members, there were still inconsistencies in deployment dates. In March 2012, DOD was still verifying data inconsistencies which, until resolved, leads to inaccurate reporting based on errors in the deployment dates. As of September 2019, DOD has not provided information or documentation to address this recommendation.

Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to take steps to ensure that its rate-setting methods and the data it uses to set rates result in full-risk premiums rates that accurately reflect the risk of losses from flooding. These steps should include, for example, verifying the accuracy of flood probabilities, damage estimates, and flood maps; ensuring that the effects of long-term planned and ongoing development, as well as climate change, are reflected in the flood probabilities used; and reevaluating the practice of aggregating risks across zones.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In April 2018, FEMA officials told us they had begun to redesign NFIP's risk rating system to help ensure policy rates better reflect the risk of flooding. The redesign, known as Risk Rating 2.0, includes efforts to use catastrophe models, stochastic approaches, and updated map information to better reflect the variation in flood risk. These reforms are also intended to improve how FEMA's rating process accounts for general and specific factors that affect flood probabilities and damage. While FEMA initially announced that new rates for all single-family homes would go into effect nationwide on October 1, 2020, it announced in November 2019 that it would defer implementation to October 1, 2021. FEMA said this would allow it to conduct a comprehensive analysis of the proposed rating structure so as to protect policyholders and minimize any unintentional negative effects of the transition, and that the new implementation date would cover all NFIP policies.

Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to ensure that information is collected on the location, number, and losses associated with existing and newly created grandfathered properties in NFIP and to analyze the financial impact of these properties on the flood insurance program.

Agency: Department of Homeland Security
Status: Open

Comments: As of February 2020, FEMA officials said they had finished identifying properties with grandfathered premium rates and that they planned to analyze their economic implications as part of their efforts to update their premium rate setting approach, known as Risk Rating 2.0. FEMA plans to implement this redesign on October 1, 2021.