Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Assistant to the President for National Security Affairs, in coordination with relevant stakeholders from NSC and NEC, should ensure that the plan to implement the 5G national strategy fully addresses all elements of our six desirable characteristics of a national strategy.

Agency: Executive Office of the President: Office of the Assistant to the President for National Security Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should plan and conduct regular fraud risk assessments of PA emergency work grants to determine a fraud risk profile that aligns with leading practices as provided in the Fraud Risk Framework. Specifically, this process should include (1) identifying inherent fraud risks to PA grant funds, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, (4) examining the suitability of existing fraud controls, and (5) documenting the fraud risk profile. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should designate one entity as the lead entity with responsibility for providing oversight of agency-wide efforts to manage fraud risks to PA emergency work grants, including managing the fraud risk assessment process, consistent with leading practices. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should update key training and guidance documents for the PA grant program to include information on where and how to report suspected fraud, and direct PA recipients to include such information in key training and guidance documents they provide to subrecipients. (Recommendation 3)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should update key resources, such as training and guidance documents, FEMA makes available to PA applicants to ensure these resources consistently communicate information on the highest fraud risks to PA emergency work grant funds and applicants' responsibilities for managing those risks. The highest fraud risks may include risks related to procurement and debris removal, and other risks FEMA identifies through fraud risk assessments. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should implement program-specific antifraud training for PA staff who work directly with PA applicants; this training should include information on the highest fraud risks to PA emergency work grants. The highest fraud risks may include risks related to procurement and debris removal, and other risks FEMA identifies through fraud risk assessments. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should direct and coordinate with the Chief Executive Officer of USAC to comprehensively assess fraud risks to the E-rate program, including implementing their respective plans for developing periodic fraud risk assessments, examining the suitability of existing fraud controls, and compiling fraud risk profiles following the timelines described in this report. The assessments should be informed by the key fraud risks identified in this report from closed court cases, prior risk assessments, and OIG reports, among other sources. (Recommendation 1)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should ensure that FCC and USAC follow the leading practices in GAO's Fraud Risk Framework when designing and implementing data-analytics activities to prevent and detect fraud as part of their respective antifraud strategies for the E-rate program. (Recommendation 2)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should direct the Chief Executive Officer of USAC to clearly define and fully document the data fields in all relevant E-rate program computer systems to help improve FCC's ability to understand and use data to manage fraud risks. (Recommendation 3)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should direct the W87-1 program to ensure consistent, reliable, and objective assessments of remaining feature and component design decisions in Phase 6.2 by developing study plans for remaining design studies consistent with the guidelines for such plans in NNSA's AOA procedure, including documenting and justifying deviations from best practices. (Recommendation 1)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should direct the Office of Defense Programs to revise its program execution instruction to require that design studies for warhead life extension and replacement programs follow AOA best practices, such as by having a study plan, or to justify and document deviations from best practices. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should direct the Office of Defense Programs' plutonium program office to ensure that the integrated master schedule in development for pit production meets NIMS standards, consistent with best practices for schedule development. (Recommendation 3)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should direct the W87-1 program to prioritize the development and documentation of a risk mitigation strategy to address the risk that pit production may be insufficient to meet W87-1 production needs. (Recommendation 4)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 7)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 8)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should configure its CDM tools to compare configuration settings against federal core benchmarks and agency-specific variations applicable to its environment. (Recommendation 9)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools. (Recommendation 10)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 11)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should configure its CDM tools to compare configuration settings against federal core benchmarks applicable to its environment. (Recommendation 12)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 13)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 14)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should configure its CDM tools to compare configuration settings against agency-specific benchmarks applicable to its environment. (Recommendation 15)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should establish quantifiable targets for the Surface Transportation Security Inspectors Program's activity-level performance measures. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should require the W80-4 program, when it issues its baseline cost report prior to entry into phase 6.4, to adopt a date for the delivery of a first production unit, and dates for other key program milestones, based on the program's current schedule risk analysis, or document its justification for adopting alternative schedules and milestones based on other factors. If necessary, the Administrator should alert the Secretary of Energy to the need to engage in the extension or notification processes identified in statute for adopting a first production unit delivery date after September 2025. (Recommendation 1)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should revise the Program Execution Instruction or other related directives to require future LEPs and nuclear weapon modernization programs of similar complexity, when they issue a WDCR or baseline cost report, to establish program schedules and key milestone dates (including the FPU delivery date) on the basis of a formal schedule risk analysis that aligns with best practices, or document the justification for any decision to adopt alternative schedules and milestones based on other factors. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The U.S. commissioners of the International Joint Commission should work with the Canadian commissioners to update the Lake Ontario-St. Lawrence River Board communications plan and ensure that the plan incorporates best practices for public relations efforts, in particular defining target audiences and developing mechanisms to monitor and inform adjustments to strategies, and generally accepted principles for communicating risk-related information. (Recommendation 1)

Agency: International Joint Commission--United States and Canada
Status: Open

Comments: The International Joint Commission (IJC) agreed with our recommendation. IJC stated that it intends to develop an updated communications plan that incorporates best practices for public relations efforts by December 31, 2020. We will continue to monitor IJC's actions in response to this recommendation.

Recommendation: The U.S. commissioners of the International Joint Commission should work with the Canadian commissioners to develop and enter into written agreements with entities that the Great Lakes-St. Lawrence River Adaptive Management Committee identifies as having information or resources that the committee needs to effectively monitor and evaluate the impacts of Plan 2014. (Recommendation 2)

Agency: International Joint Commission--United States and Canada
Status: Open

Comments: The International Joint Commission (IJC) agreed with our recommendation. IJC is compiling a list of entities with which it shares information to explore formal data and information sharing arrangements with them. We will continue to monitor IJC's actions in response to this recommendation.

Recommendation: The U.S. commissioners of the International Joint Commission should work with the Canadian commissioners to ensure that IJC fully incorporates the key elements and essential characteristics of the adaptive management process into a comprehensive adaptive management strategic plan for Plan 2014. (Recommendation 3)

Agency: International Joint Commission--United States and Canada
Status: Open

Comments: The International Joint Commission (IJC) agreed with our recommendation. IJC plans to produce a comprehensive adaptive management strategic plan that fully incorporates the key elements and essential characteristics of the adaptive management process by December 31, 2020. We will continue to monitor IJC's actions in response to this recommendation.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment implements DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant DOD guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Under Secretary of Defense for Acquisition and Sustainment should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. In its response, the department noted that the Under Secretary of Defense for Acquisition and Sustainment will oversee updates to relevant guidance related to supply processes and that they anticipate the updates to be complete by May 31, 2021. The department further noted that the Under Secretary of Defense for Acquisition and Sustainment will ensure updates are made to the acquisition policies, when and if appropriate. However, the department stated that its Adaptive Acquisition Framework currently provides all of the necessary flexibility required. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Army should implement DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant Department of the Army guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Secretary of the Army should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 2)

Agency: Department of Defense: Department of the Army
Status: Open

Comments: DOD concurred with this recommendation. In its response, the department noted that the Army would update, as appropriate, Army guidance related to acquisition and supply upon updates to DOD's climate adaptation directive and other applicable DOD or federal regulations. However, DOD noted that it does not plan to update its acquisition guidance in response to our recommendation that DOD do so. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Navy should implement DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant Department of the Navy guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Secretary of the Navy should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 3)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: DOD partially concurred with this recommendation. In its response, the department noted that the Department of the Navy had suggested that the recommendation be restated to recommend that the Department of the Navy ensure that its guidance and procedures are updated to align with DOD's directive on climate adaptation upon issuance of an updated directive. However, DOD has not identified any plans to update its directive on climate change adaptation. Thus, we continue to believe that the Department of the Navy should update its guidance related to acquisition and supply to incorporate the current guidance in DOD's climate adaptation directive, which it has not yet done. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Air Force should implement DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant Department of the Air Force guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Secretary of the Air Force should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 4)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: DOD concurred with this recommendation. In its response, the department noted that the Air Force will work with the Office of the Under Secretary of Defense for Acquisition and Sustainment and the other military services to develop specific policies that address climate-related risks to DOD contractors. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Policy, in coordination with the Under Secretary of Defense for Acquisition and Sustainment, the Secretaries of the military departments, and any other governmental and private-sector partners, as appropriate, determine what approaches may be feasible in conducting mission assurance related assessments of commercially owned facilities. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In its response, the department noted that formal mission assurance assessments are limited in scope in order to provide additional rigor to protect DOD's most critical capabilities. However, the department stated that the Office of the Under Secretary of Defense for Policy would work with the Office of the Under Secretary of Defense for Acquisition and Sustainment's Defense Contract Management Agency to better understand DOD's commercial dependencies. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Policy, in coordination with the Under Secretary of Defense for Acquisition and Sustainment, the Secretaries of the military departments, and any other governmental and private-sector partners, as appropriate, issue new or update existing guidance, based upon the determination of what approaches may be feasible, to clarify the steps that DOD officials involved in the mission assurance process may take to apply the mission assurance framework to commercially owned facilities, as appropriate, to include consideration of risks related to climate change and extreme weather. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. In its response, the department noted that it concurs with the need to clarify steps that officials may take to apply the mission assurance framework to defense critical infrastructure and critical defense industrial base commercially owned facilities, to include consideration of risks related to climate change and extreme weather. However, the department further noted that it does not concur with doing this for all commercial facilities because conducting such assessments for all commercially owned facilities falls outside the capacity and authority of DOD to conduct mission assurance assessments. However, we had not recommended they conduct such assessments for all commercial facilities. We will continue to monitor the status of this recommendation.

Recommendation: The Office of the Chief Financial Officer should require payment reporting sites to document their procedures for identifying, tracking, and reporting improper payments to ensure they provide consistent and comparable information about their improper payments over time. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with the recommendation and said that it plans to clarify and adjust its current and future guidance to its payment reporting sites to require that the sites (1) develop and maintain procedures to support implementation of its payment integrity requirements for identifying, tracking, and reporting improper payments, and (2) require payment reporting sites to certify that the procedures have been developed and implemented. We will monitor and report on DOE's progress in implementing these planned actions.

Recommendation: The Office of the Chief Financial Officer should develop a monitoring process to ensure that payment reporting sites document and implement procedures that will enable them to correctly identify and report improper payments to the OCFO. (Recommendation 2)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with the recommendation and said that it will (1) take measures to strengthen and enhance the existing payment integrity monitoring and quality assurance program by conducting period payment reporting site visits and (2) establish a payment integrity working group to identify best practices for incorporation into DOE processes. We will monitor and report on DOE's progress in implementing these planned actions.

Recommendation: The Office of the Chief Financial Officer should require payment reporting sites to document policies for tracking questioned costs to resolution. (Recommendation 3)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with the recommendation and said they plan to develop and implement processes and procedures for tracking questioned costs to resolution. We will monitor and report on DOE's progress in implementing these planned actions.

Recommendation: The Office of the Chief Financial Officer should track information on the year the payment occurred for all improper payments, regardless of when they are identified, and determine and disclose in DOE's AFR whether the department's total annual improper payments exceeded $100 million in any given year. (Recommendation 4)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with the recommendation and said it will conduct annual look-back analyses to the extent possible to determine if prior year reporting exceeded the $100 million threshold, and therefore could be subject to additional reporting requirements. We will monitor and report on DOE's progress in implementing these planned actions.

Recommendation: The Office of the Chief Financial Officer should clarify guidance to (1) define the factors for assessing adequacy of payment reporting sites' justifications that conducting recapture audits would not be cost-effective, and (2) require that the Office of the Chief Financial Officer review the sufficiency of these justifications against the criteria defined. (Recommendation 5)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with the recommendation and said it will revise and enhance procedures defining the OCFO quality assurance process to (1) define the criteria for assessing the adequacy of payment reporting sites' justifications, and (2) review the payment reporting sites' justifications against the criteria defined. We will monitor and report on DOE's progress in implementing these planned actions.

Recommendation: The Office of the Chief Financial Officer should evaluate whether payment reporting sites could identify enough additional improper payments through payment recapture audits to make those audits cost-effective, such as by performing audits at selected sites. (Recommendation 6)

Agency: Department of Energy
Status: Open

Comments: DOE disagreed with the recommendation, stating in its comments that it has an ongoing Fraud Risk Management Working Group and that officials have developed a Fraud Risk Management and Data Analytics Implementation Plan to strengthen DOE's capability to prevent, identify, and recover improper payments and fraud. However, DOE's plan is still in draft form and, according to DOE's technical comments, they will not begin using data analytics until fiscal year 2021. In addition, DOE said that existing payment recapture activities to identify and recover improper payments are sufficient. However, as we discuss in the report, DOE determined that it does not need to conduct payment recapture audits based on justifications submitted by the reporting sites. We continue to believe that by evaluating whether it could identify enough additional improper payments to make payment recapture audits cost-effective, such as by performing audits at a limited number of sites, DOE would have an opportunity to identify and recover additional improper payments or have better information to justify that payment recapture audits are not cost-effective. We plan to monitor DOE actions related to this recommendation.

Recommendation: The Office of the Chief Financial Officer should revise DOE's department-level process for conducting improper payment risk assessments to include (1) developing and documenting the rationale for the variable scale used to score risk factors and weighting of the payment reporting sites; and (2) documenting DOE's consideration of the inherent risk associated with the lag in identifying certain improper payments subsequent to the fiscal year they occurred to ensure that the process results in a reliable assessment of whether the department is susceptible to significant improper payments. (Recommendation 7)

Agency: Department of Energy
Status: Open

Comments: DOE did not agree with the recommendation to develop and document the rationale for the scale used to score risk factors and weighting of payment sites, stating that its risk assessment evaluates the volume and dollar amount of payments by payment category, payments subject to manual controls, and fluctuations in volume and dollar amounts. However, we are recommending that the OCFO document the weighting of all its risk factors, including its decision to consider as equal the risks identified by all sites-regardless of the dollar amount of outlays. We continue to believe that, because DOE did not properly document how it developed and considered risk factors during its fiscal year 2018 risk assessment, it cannot ensure that the process produces a reliable assessment of whether DOE is susceptible to significant improper payments. Regarding the consideration of inherent risk, DOE said that the Payment Integrity Risk Assessment directs payment reporting sites to consider inherent risk as part of DOE's Internal Control Program. However, even if none of the sites identifies the known lag in identifying improper payments as a risk, based on our review of DOE's Agency Financial Reports, this lag is a risk to DOE as a whole. Therefore, we continue to believe that DOE should document in its risk assessment process its consideration of the known lag in identifying improper payments. We plan to monitor DOE actions related to this recommendation.

Recommendation: The Office of the Chief Financial Officer should revise DOE's department-level policies and procedures for reviewing risk assessments submitted by payment reporting sites to require a review and approval of the documentation supporting these assessments to help ensure the accuracy of the sites' assessments. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: DOE did not agree with the recommendation, stating that sufficient processes are in place for ensuring the accuracy of payment reporting sites' risk assessments. DOE also stated that OCFO's Payment Integrity Guidance instructs payment reporting sites to maintain detailed information supporting risk assessments. However, as we discuss in the report, 5 of the 10 sites we reviewed did not provide sufficient explanation or documentation supporting their ratings for several of the risk factors. We continue to believe that by developing, documenting, and implementing policies and procedures to require the OCFO to review documentation supporting payment site risk assessments, DOE would enhance its ability to adequately monitor its decentralized improper payment risk assessment process and help ensure that individual payment reporting sites accurately score their risk factors, leading DOE to obtain a more accurate and reliable assessment of its overall risk of susceptibility to improper payments. We plan to monitor DOE actions related to this recommendation.

Recommendation: The Office of the Chief Financial Officer should revise DOE's department-level policies and procedures for conducting improper payment risk assessments to define the process for overriding a payment reporting site's risk determination, when appropriate. (Recommendation 9)

Agency: Department of Energy
Status: Open

Comments: DOE agreed with the recommendation and said that itwill clarify the quality assurance process for the payment reporting sites' ratings; however, DOE will not override the individual payment sites' risk determinations. Instead, DOE plans to work as needed with payment reporting site officials to determine the appropriate risk ratings. We will monitor and report on DOE's progress in implementing these actions.

Recommendation: The Secretary of Defense should direct the DOD CIO to complete a department-wide inventory of existing IP-compliant devices and technologies to help with planning efforts and requirements development for the transition to IPv6. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the DOD CIO to develop a cost estimate as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the DOD CIO to develop a risk analysis as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Under Secretary of Defense for Acquisition and Sustainment should establish procedures requiring the military departments to collect and share findings from their peer reviews of MDAP contracting approaches—including choice of contract type—such as by updating the existing online compendium of best practices and lessons learned as they complete their reviews.

Agency: Department of Defense
Status: Open

Comments: DOD agreed with this recommendation, but as of August 2020 has not taken any action to implement it.

Recommendation: The U.S. Committee on the Marine Transportation System should complete a government-wide assessment of the economic, environmental, and safety risks posed by gaps in maritime infrastructure in the U.S. Arctic to inform investment priorities and decisions. (Recommendation 1)

Agency: Department of Transportation: Committee on the Marine Transportation System
Status: Open

Comments: CMTS partially concurred with our recommendation but also noted several areas of disagreement with our conclusions, which we addressed directly in our report. For example, we note in our report that CMTS itself has previously noted the importance of evaluating risks on a government-wide basis, and that it previously proposed a model for determining risk that considered the likelihood of adverse events actually occurring, vulnerability to damage, and potential consequences. Given its previous work in the U.S. Arctic and its coordinating role with its member agencies, CMTS is well suited to conduct a government-wide assessment of the risks posed by gaps in maritime infrastructure in the U.S. Arctic. As such, we stand by our recommendation and will continue to report on steps taken by CMTS to address it.

Recommendation: The appropriate entities within the Executive Office of the President, including the Office of Science and Technology Policy should develop and publish a strategy for addressing U.S. Arctic maritime infrastructure that identifies goals and objectives, performance measures to monitor agencies' progress over time, and the appropriate responses to address risks. (Recommendation 2)

Agency: Executive Office of the President: Office of Science and Technology Policy
Status: Open

Comments: OSTP neither agreed nor disagreed with the report's recommendations. OSTP acknowledged the Arctic is of critical national importance and noted interagency coordination can be implemented through the entities of the National Science and Technology Council, which is located within OSTP. As we note in our report, without a strategy for addressing U.S. Arctic maritime infrastructure that identifies goals and objectives, performance measures to monitor agencies' progress over time, and the appropriate responses to address risks, agencies lack assurance that their actions are effectively targeting priority areas and decision makers cannot gauge the extent of progress in addressing maritime infrastructure gaps. As such, we stand by our recommendation and will continue to evaluate OSTP's efforts to fully address it.

Recommendation: The appropriate entities within the Executive Office of the President, including the Office of Science and Technology Policy should designate the interagency group responsible for leading and coordinating federal efforts to address maritime infrastructure in the U.S. Arctic that includes all relevant stakeholders. (Recommendation 3)

Agency: Executive Office of the President: Office of Science and Technology Policy
Status: Open

Comments: OSTP neither agreed nor disagreed with the report's recommendations. OSTP acknowledged the Arctic is of critical national importance and noted interagency coordination can be implemented through the entities of the National Science and Technology Council, which is located within OSTP. OSTP noted the need for, and role of additional federal coordination, such as the Arctic Executive Steering Committee, is under consideration by OSTP. We continue to believe that the appropriate entities within the Executive Office of the President, including OSTP, should designate the interagency group responsible for leading and coordinating federal efforts to address maritime infrastructure in the U.S. Arctic that includes all relevant stakeholders. As we note in our report, without an interagency collaboration mechanism designated to lead these efforts, it is unclear who has responsibility for whole-of-government efforts to address U.S. Arctic maritime infrastructure. We will continue to monitor OSTP's efforts to fully address our recommendation.

Recommendation: The Director of the Federal Insurance Office should communicate to insurers in writing how it would utilize policyholder retention amounts in calculating "insurance losses" and "insured losses" in determining the program certification threshold, trigger, and cap, as applicable. (Recommendation 1)

Agency: Department of the Treasury: Office of the Under Secretary for Domestic Finance: Office of the Assistant Secretary for Financial Institutions: Office of Financial Institutions Policy: Federal Insurance Office
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Sustainment, in collaboration with the military departments, provide updated guidance for the oversight of privatized military housing, to include oversight objectives for each service to monitor the physical condition of privatized homes over the remaining duration of the ground leases. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its August 2020 response, DOD noted that the Assistant Secretary of Defense for Sustainment (ASD (S)), as the Chief Housing Officer, issued guidance requiring the military departments to monitor work order completion for housing privatized under the Military Housing Privatization Initiative based on a combination of resident input, timeliness of work order completion, and number of repeat work orders for the same repair. The guidance also required increased tracking of MHPI project work orders by installation staff. Moving forward, the ASD(S) plans to issue quarterly program review guidance that establishes oversight objectives for the military departments to monitor the physical condition of MHPI housing over the duration of their project ground leases, formalizing the requirement that the data be monitored by the Chief Housing Officer. DOD expects this to be completed by December 2020. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Army should take steps, in collaboration with the Army's private housing partners, to review the indicators underlying the privatized housing project performance metrics to ensure they provide an accurate reflection of the condition and quality of the homes. (Recommendation 2

Agency: Department of Defense: Department of the Army: Office of the Secretary
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its August 2020 response, DOD noted that the Secretary of the Army has taken several steps toward addressing this recommendation. For example, the Army published the Portfolio and Asset Management Handbook creating a multi-tiered assessment approach of performance metrics to measure the health of each privatized home through inspection, assessment, satisfaction, and feedback. The Army and the private housing partners revised the Incentive Fee Performance Management Plan, placing increased emphasis on resident satisfaction and work order/maintenance management. The Army also put Commanders in charge, ensuring Army leadership at every Army installation is tracking housing quality and safety. In late 2020, the Army plans to review and evaluate these actions and make a determination by 31 Jan 2021 if any changes or revisions are needed to best implement the recommendation. As such, we will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Air Force should take steps, in collaboration with the Air Force's private housing partners, to review the indicators underlying the privatized housing project performance metrics to ensure they provide an accurate reflection of the condition and quality of the homes. (Recommendation 3)

Agency: Department of Defense: Department of the Air Force: Office of the Secretary of the Air Force
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its August 2020 response, DOD noted that the Air Force is engaging in several steps to address this recommendation. Specifically, in March 2020, the Air Force tasked each of the Military Housing Offices to inspect all move-in, move-out, and change of occupancy maintenance events and all emergency, urgent, and life, health, and safety work orders, which is outlined in Air Force guidance. The Air Force is also engaging in several ongoing actions. In response to a memo to the military departments to provide consistency of performance incentive fees, the Air Force was negotiating with the privatized housing project owners to update performance incentive fee metrics in accordance with ASD directed categories and weightings. As of August 2020, agreements had been finalized with 2 partners and work was ongoing with the remaining partners. In addition, the Air Force was working with the project owners to deploy Satisfacts, a survey tool to independently measure resident satisfaction with projects' work order performance, across all Air Force projects with an expected completion by December 2020. We will continue to monitor the status of these recommendations.

Recommendation: The Secretary of the Navy should take steps, in collaboration with the Navy and Marine Corps' private housing partners, to review the indicators underlying the privatized housing project performance metrics to ensure they provide an accurate reflection of the condition and quality of the homes. (Recommendation 4)

Agency: Department of Defense: Department of the Navy: Office of the Secretary
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its August 2020 response, DOD noted that the Navy and Marine Corps are engaging in several steps to address this recommendation. Specifically, the Navy and Marine Corps have developed a centralized electronic data warehouse, which receives data from privatized housing partner maintenance systems to display work order and survey performance dashboards. By February 2021, the Navy expects to complete the development of metrics displayed by the data warehouse to include key service call performance metrics and resident feedback data. The Navy and Marine Corps are also developing a web-based monitoring matrix tool housing officials can use to evaluate the performance of privatized housing partners. The tool is intended to provide improved tracking capabilities and improved accessibility to information, thus providing more consistent oversight and improved advocacy service members and their families. The Navy is also working to hire 247 additional Navy and Marine Corps housing staff to review and analyze private partner provided recurring maintenance and customer satisfaction reports in an effort to strengthen oversight and monitoring, with an estimated completion of September 2020. Moving forward, we will continue to monitor the status of these and other efforts.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Sustainment, in collaboration with the military departments and private housing partners, establish minimum data requirements and consistent terminology and practices for work order data collection for comparability across installations and projects and to track trends over time. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: e Department of Defense (DOD) partially concurred with this recommendation. In its August 2020 response, DOD stated that the Assistant Secretary of Defense for Sustainment (ASD(S)), as the Chief Housing Officer, plans to issue a policy directing the military departments to establish, to the maximum extent practical, minimum data requirements and consistent terminology and practices for MHPI housing unit work order collection to aid in comparability across installations and projects, and for tracking trends over time. However, DOD noted that the department cannot mandate changes to existing MHPI project legal documents. DOD estimates that this effort will be completed by December 2021. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Sustainment require the military departments to establish a process to validate data collected by the private housing partners to better ensure the reliability and validity of work order data and to allow for more effective use of these data for monitoring and tracking purposes. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its August 2020 response, DOD noted that the Assistant Secretary of Defense for Sustainment (ASD(S)), as the Chief Housing Officer, issued guidance directing the military departments to exercise proper oversight to ensure Military Housing Privatization Initiative (MHPI) projects perform in accordance with legal agreements, to include due diligence in monitoring and auditing project maintenance records and other project performance data. The guidance also required military departments to review their entire portfolios of MHPI projects to ensure accurate and appropriate work order management processes. In response to the new guidance, DOD noted that the military departments put in place appropriate oversight measures and undertook the required reviews, though the investigations of project business practices were ongoing in some cases. As another step, the ASD(S) plans to issue guidance directing the military departments to establish a process to validate data collected by their respective MHPI Project Owners to better ensure the reliability and validity of work order data and to allow for more effective use of these data for monitoring and tracking purposes. DOD expects this to be completed by the end of September 2020. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure the Assistant Secretary of Defense for Sustainment, in collaboration with the military departments, develop a process for collecting and calculating resident satisfaction data from the military departments to ensure that the data are compiled and calculated in a standardized and accurate way. (Recommendation 7)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense (DOD) partially concurred with this recommendation based on the fact that the draft report listed the incorrect office as the source for addressing the deficiency, but subsequently changed its response to concur after the recommendation was directed to the appropriate office in the final report. In its August 2020 response, DOD noted that the Assistant Secretary of Defense for Sustainment (ASD(S)) plans to issue guidance establishing a department-wide process for collecting and calculating resident satisfaction data to ensure that the data are compiled and calculated in a standardized and accurate way effective with the survey collection effort in Fiscal Year 2021. The department expects this effort to be completed by October 2020. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure the Assistant Secretary of Defense for Sustainment provides additional explanation of the data collected and reported in future reports to Congress, such as explaining the limitations of available survey data, how resident satisfaction was calculated, and reasons for any missing data, among other things. (Recommendation 8)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense (DOD) partially concurred with this recommendation. In its August 2020 response, DOD noted that the Assistant Secretary of Defense for Sustainment (ASD(S)) would provide additional explanation of the MHPI resident satisfaction data collected and reported in future annual Military Housing Privatization Initiative (MHPI) reports to Congress, effective with the annual report covering fiscal year 2019. DOD noted that the additional information will include, among other things, an explanation of the limitations of available survey data, how resident satisfaction was calculated, and reasons for any missing data. As of August 2020, the annual MHPI report covering fiscal year 2018 was in final coordination and the department noted that the report would addresses a vast majority, but not all, of the requirements identified in our recommendation. DOD noted that the additional information would be provided in the next annual MHPI report. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Army should develop and implement a plan to clearly and systematically communicate to residents the difference between the military housing office and the private partner. At a minimum, these plans should include the Army housing office's roles, responsibilities, locations, and contact information and should ensure that all residents are aware that they can directly contact Army housing office officials. (Recommendation 9)

Agency: Department of Defense: Department of the Army: Office of the Secretary
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its response, DOD noted that the Army developed a "Plain Language" briefing as required by the 2020 National Defense Authorization Act that included the Army Housing Office's roles, responsibilities, location, and contact information at each privatized housing project site. DOD noted that the intent of the briefing was to ensure that all residents were aware of their ability to directly contact Army Housing Office and/or the Garrison Commanders. DOD stated that the briefing was disseminated to all of the Military Housing Offices, who are using it in newcomer briefings, and stated that the briefing would be provided to all current residents of privatized military housing, but that measure would not be tracked due to attrition. In addition, DOD noted that Headquarters, Department of the Army was tasking Army Materiel Command to develop a more detailed plan to communicate to residents the difference between the Army Housing Office and the private housing partner. The Army's intent is to not only capture residents upon their arrival at an installation, but making the services of the MHO known over the duration of a resident's time on at installation. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Navy should develop and implement a plan to clearly and systematically communicate to residents the difference between the military housing office and the private partner. At a minimum, these plans should include the Navy housing office's roles, responsibilities, locations, and contact information and should ensure that all residents are aware that they can directly contact Navy housing office officials. (Recommendation 11)

Agency: Department of Defense: Department of the Navy: Office of the Secretary
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its August 2020 response, DOD noted that the Navy has taken various steps to address this recommendation, with additional steps planned. For example, the Navy has ensured that each installation has a specific issue resolution process description marketing flyer available, both in hard copy and on the public housing websites, with a reminder that residents can contact both the privatized housing property manager and the Navy housing office with any issues. Moreover, every housing unit has been provided with a refrigerator magnet reminding residents that they can and should contact the Navy housing office if they have any issues with their home. In addition, the Navy and Marine Corps have established a requirement to contact each privatized housing resident not later than 15 days after move-in and again 60 days after move-in to provide an opportunity to request assistance and remind them of available support. Moving forward, the Navy has an ongoing effort to require private housing companies to market the same messaging as the service issue resolution processes for the MHOs that they support, for consistent advocacy messaging to the tenants. The information will be added to PPV partner websites, printed material and resident handbooks. The Navy also plans to use its annual survey to tracks resident satisfaction and awareness of the Navy's issue resolution process, with expected completion by October 2020. In addition, the Marine Corps has identified a near-term initiative to procure name tags for all MHO employees to wear, identifying themselves as distinct and separate from privatized housing property management company, which will be standardized across all USMC installations. The Marine Corps also plans to develop a standard welcome aboard package to include magnets and other items with key point of contact information. The Marine Corps expects these efforts to be completed by the end of September 2020.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Sustainment, in collaboration with the military departments, assess the risks of proposed initiatives aimed at improving the privatized military housing program on the financial viability of the projects. (Recommendation 12)

Agency: Department of Defense: Office of the Secretary of Defense
Status: Open

Comments: The Department of Defense (DOD) concurred with this recommendation. In its August 2020 response, DOD noted that the Assistant Secretary of Defense for Sustainment, as the Chief Housing Officer, planned to issue a policy establishing the assessment of Military Housing Privatization Initiative (MHPI) project financial viability as part of quarterly program reviews as a long-term requirement. The department noted that the program review data would be augmented by input from the MHPI companies, who are assessing the likely impact of proposed initiatives in conjunction with their third party lenders. The department expected this effort to be completed by December 2020. We will continue to monitor the status of this recommendation.

Recommendation: The Administrator of FAA should conduct and document a risk assessment that considers inherent and residual fraud and abuse risks that may enable criminal, national security, or safety risks. (Recommendation 1)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should determine impact, likelihood, and risk tolerance as part of a risk assessment. (Recommendation 2)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should develop a strategy that outlines specific actions to address analyzed risks, including periodic assessments to evaluate continuing effectiveness of the risk response. (Recommendation 3)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should collect and record information on individual registrants, initially including name, address, date of birth, and driver's license or pilot's license, or both, with subsequent PII elements informed by the risk assessment, once completed. (Recommendation 4)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should collect and record information on legal entities not traded publicly—on each individual and entity that owns more than 25 percent of the aircraft; for individuals: name, date of birth, physical address, and driver's license or pilot's license, or both; and for entities: name, physical address, state of residence, and taxpayer identification number. (Recommendation 5)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should verify aircraft registration applicants' and dealers' eligibility and information. (Recommendation 6)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should increase aircraft registration and dealer fees to ensure the fees are sufficient to cover the costs of FAA efforts to collect and verify applicant information while keeping pace with inflation. (Recommendation 7)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should ensure, as part of aircraft registry IT modernization, that information currently collected in ancillary files or in PDF format on (1) owners and related individuals and entities with potentially significant responsibilities for aircraft ownership (e.g., beneficial owners, trustors, trustees, beneficiaries, stockholders, directors, and managers) and (2) declarations of international operations is recorded in an electronic format that facilitates data analytics by FAA and its stakeholders. (Recommendation 8)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should link information on owners and related individuals and entities with significant responsibilities for aircraft ownership through a common identifier. (Recommendation 9)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should, as part of IT modernization, develop an approach to check OFAC sanctions data on owners and related individuals and entities with potentially significant responsibilities for aircraft ownership for coordination with OFAC and to flag sanctioned individuals and entities across aircraft registration and dealer systems. (Recommendation 10)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should use data collected as part of IT modernization as well as current data sources to identify and analyze patterns of activity indicative of fraud or abuse, based on information from declarations of international operations, postal addresses, sanctions listings, and other sources, and information on dealers, noncitizen corporations, and individuals and entities with significant responsibilities for aircraft ownership. (Recommendation 11)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should develop and implement risk-based mitigation actions to address potential fraud and abuse identified through data analyses. (Recommendation 12)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA should develop mechanisms, including regulations if necessary, for dealer suspension and revocation. (Recommendation 13)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA, in coordination with relevant law-enforcement agencies, should enhance coordination within the Aircraft Registry Task Force through collaborative mechanisms such as written agreements and use of liaison positions. (Recommendation 14)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FAA, in coordination with relevant law-enforcement agencies, should develop a mechanism to provide declarations of international operations for law-enforcement purposes. (Recommendation 15)

Agency: Department of Transportation: Federal Aviation Administration: Office of the Administrator
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OCC should establish internal written policies to effectively implement and document the State Plan review and approval process for future review and approval periods. (Recommendation 1)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it has been working on establishing written policies (e.g., internal guidance documents and checklists) to implement and document the State Plan review and approval process. OCC expects to complete this work for the FY2022-2024 Plan period. We will continue to monitor OCC's efforts to implement this recommendation.

Recommendation: The Director of OCC should define the informational needs related to the results of program-integrity activities. (Recommendation 2)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us that it is developing the next CCDF State/Territory Plan Preprint due for submission by states and territories July 1, 2021. According to OCC, it plans to incorporate its information needs regarding the results of program integrity into the Preprint document as it develops the document. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should communicate externally to the states its informational needs related to the results of states' program-integrity activities. (Recommendation 3)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us that it is developing the next CCDF State/Territory Plan Preprint due for submission by states and territories July 1, 2021. According to OCC, it plans to communicate its information needs regarding the results of program integrity activities to states and territories as part of the Preprint Training activities - including webinars and peer-to-peer virtual meetings - so Lead Agencies understand what is expected for them to address in the CCDF Plan. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should communicate internally to staff its informational needs related to the results of states' program-integrity activities. (Recommendation 4)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us that it is developing the next CCDF State/Territory Plan Preprint due for submission by states and territories July 1, 2021. According to OCC, it plans to communicate its information needs regarding the results of program integrity activities to staff in both regional and central offices as part of the Preprint Training activities so staff understand what is expected for Lead Agencies to address in the CCDF Plan. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should develop documented criteria to guide the review of CAPs submitted by states to ensure that proposed corrective actions are aimed at root causes of improper payments and are effectively implemented. (Recommendation 5)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it revised the CAP Review Tool to in response to our recommendation. OCC also told us that it plans to implement the revised CAP Review Tool beginning September 2020 to document the review of CAPs submitted for the most recent ACF-404 reporting cycle (June 2020). We asked OCC to provide documentation showing the revised CAP Review Tool is responsive to our recommendation. We will update this recommendation status after reviewing the documentation OCC provides.

Recommendation: The Director of OCC should timely complete its effort to develop established written policies for the CAP follow-up process to ensure that OCC's oversight and monitoring of CAPs is carried out consistently. (Recommendation 6)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it developed draft written policies for the CAP follow-up process to ensure that OCC's oversight and monitoring of CAPs is carried out consistently. However, due to the impact of the COVID-19 on staffing capacity, OCC has not presented the draft policies to regional offices for feedback. OCC told us it plans to finalize the written policies for the CAP follow-up process by December 2020. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should develop and document criteria to assess the effectiveness of states' program-integrity control activities. (Recommendation 7)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it analyzed information gathered from federal and state resources to develop and document criteria to be used to assess the effectiveness of states' program integrity control activities. We asked OCC to provide us the document showing all criteria to be used to assess the effectiveness of states' program integrity control activities. We will update this recommendation status after reviewing the documentation OCC provides.

Recommendation: The Director of OCC should evaluate the feasibility of collecting information from the Grantee Internal Controls Self-Assessment Instrument (Self-Assessment Instrument) and Fraud Toolkit, such as during its Monitoring System process, to monitor the effectiveness of states' program-integrity control activities. (Recommendation 8)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it is working to make the Self-Assessment Instrument and Fraud Toolkit more user-friendly to encourage increased use within the state CCDF program. With increased usage, OCC believes it will be in a better position to assess how the collection of data from these two instruments can be incorporated into the Onsite Monitoring System or other oversight activity. OCC told us it anticipates completing work to implement this recommendation by December 2020. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Assistant Secretary for ACF should ensure that ACF conducts a fraud risk assessment to provide a basis for the documentation and development of an antifraud strategy that describes the CCDF program's approach to address prioritizing fraud risks identified. (Recommendation 9)

Agency: Department of Health and Human Services: Administration for Children and Families
Status: Open

Comments: In September 2020, HHS told us it anticipates completing the initial fraud risk assessment for the CCDF program by December 2020. We will continue to monitor HHS's efforts to implement this recommendation.

Recommendation: The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business IDT, consistent with leading practices. This may involve designating one business unit as a lead entity or leveraging cooperative relationships between business units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In January 2020, IRS agreed to designate a dedicated entity to provide oversight of agency-wide business IDT efforts and stated that it will determine the appropriate oversight structure and scope of authority.

Recommendation: The Commissioner of Internal Revenue should develop a fraud risk profile for business IDT that aligns with leading practices. This should include (1) identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining the suitability of existing fraud controls. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should ensure that IRS collects additional data on business IDT by identifying and implementing new fraud filters consistent with its fraud risk profile. This should include prioritizing IDT filters for tax forms determined to be most at risk based on an analysis of risk tolerances. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should identify and implement methods to address delays in resolving business IDT cases due to correspondence-based authentication. This could involve using different methods for taxpayer authentication based on the risk level of the return. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. In January 2020, IRS stated that it will complete an analysis of other authentication methods.

Recommendation: The Commissioner of Internal Revenue should establish customer service-oriented performance goals for resolving business IDT cases. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals for resolving business identity theft cases. In January 2020, IRS stated that it will review its customer service-oriented performance goals and modify them, as warranted, to address the resolution of business identity theft cases. Doing so would meet the intent of our recommendation.

Recommendation: The SEC Chair should direct the Directors of the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop written policies and processes to systematically assess the effectiveness of staff procedures (procedures applicable to staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings). Examples of elements SEC could include in the policies and processes are the steps necessary to conduct such assessments, including time frames in which the assessments should be performed and reviewed; assignment of responsibilities related to the assessments; requirements for documenting assessments; and steps for staff to take to mitigate and report deficiencies identified as a result of the assessments. (Recommendation 1)

Agency: United States Securities and Exchange Commission
Status: Open

Comments: As of May 2020, SEC updated its Reference Guide for Compliance with Section 961 of the Dodd-Frank Act to require the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop and maintain written policies and processes for conducting systematic assessments of the effectiveness of procedures applicable to the staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings. The added requirement for each division and office to develop policies and processes is a positive step toward addressing this recommendation. However, until the divisions and offices establish such policies and processes, this recommendation remains open. SEC staff stated that the divisions and offices are currently working on developing their individual frameworks for assessing staff procedures and will likely be done by the end of fiscal year 2020. We will continue to monitor these efforts.

Recommendation: The Director of the Division of Corporation Finance should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 2)

Agency: United States Securities and Exchange Commission: Division of Corporation Finance
Status: Open

Comments: As of May 2020, SEC staff said that the Division of Corporation Finance is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Division of Corporation Finance provides documentation showing the implementation of responsive actions.

Recommendation: The Director of the Division of Enforcement should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 3)

Agency: United States Securities and Exchange Commission: Division of Enforcement
Status: Open

Comments: As of May 2020, SEC staff said that the Division of Enforcement is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Division of Enforcement provides documentation showing the implementation of responsive actions.

Recommendation: The Director of the Office of Compliance Inspections and Examinations should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 4)

Agency: United States Securities and Exchange Commission: Office of Compliance Inspections and Examinations
Status: Open

Comments: As of May 2020, SEC staff said that the Office of Compliance Inspections and Examinations is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Office of Compliance Inspections and Examinations provides documentation showing the implementation of responsive actions.

Recommendation: The Director of the Office of Credit Ratings should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 5)

Agency: United States Securities and Exchange Commission: Office of Credit Ratings
Status: Open

Comments: As of May 2020, SEC staff said that the Office of Credit Ratings is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Office of Credit Ratings provides documentation showing the implementation of responsive actions.

Recommendation: The OJJDP Administrator should set performance targets for individual grant programs. (Recommendation 1)

Agency: Department of Justice: Office of Juvenile Justice and Delinquency Prevention
Status: Open

Comments: In June 2020, DOJ reported that OJJDP is engaged in a comprehensive effort to improve performance measures. The final step of this process will be the development of performance targets. According to DOJ, OJJDP anticipates setting initial targets for its discretionary grant programs by October 2021 and for the Title II Formula Grant program by March 2023. We believe these actions, when effectively completed, will address our recommendation. We plan to provide an update on OJP's progress in late 2021.

Recommendation: The Assistant Attorney General for Administration should ensure that future department-level fraud risk profiles (1) determine the department's fraud risk tolerance for DOJ grants—which include OJJDP grant programs, and (2) prioritize residual fraud risks based on an assessment against that tolerance, consistent with leading practices in GAO's Fraud Risk Framework. (Recommendation 2)

Agency: Department of Justice: Office of the Assistant Attorney General for Administration
Status: Open

Comments: In June 2020, DOJ reported that it awarded a new contract in January 2020 that includes a requirement to continue conducting annual fraud risk assessments and update associated fraud risk profiles using the GAO Fraud Risk Framework. DOJ further reported that it will develop a fraud risk tolerance for DOJ grants and prioritize residual fraud risk against that tolerance when it conducts this assessment. We believe these actions, when effectively completed, will address our recommendation. We plan to follow-up with DOJ and provide an update in early 2021.

Recommendation: The Board of Governors of the Federal Reserve System should, in coordination with the other federal banking regulators, and with input from BSA/AML examiners and other relevant stakeholders, take steps to improve examiners' ability to evaluate the effectiveness of banks' BSA/AML compliance controls with respect to money transmitter accounts. Steps may include providing updates to examination procedures, examiner training, or a combination of methods. (Recommendation 1)

Agency: Federal Reserve System
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Comptroller of the Currency should, in coordination with the other federal banking regulators, and with input from BSA/AML examiners and other relevant stakeholders, take steps to improve examiners' ability to evaluate the effectiveness of banks' BSA/AML compliance controls with respect to money transmitter accounts. Steps may include providing updates to examination procedures, examiner training, or a combination of methods. (Recommendation 2)

Agency: Department of the Treasury: Office of the Comptroller of the Currency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the Federal Deposit Insurance Corporation should, in coordination with the other federal banking regulators, and with input from BSA/AML examiners and other relevant stakeholders, take steps to improve examiners' ability to evaluate the effectiveness of banks' BSA/AML compliance controls with respect to money transmitter accounts. Steps may include providing updates to examination procedures, examiner training, or a combination of methods. (Recommendation 3)

Agency: Federal Deposit Insurance Corporation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the National Credit Union Administration should, in coordination with the other federal banking regulators, and with input from BSA/AML examiners and other relevant stakeholders, take steps to improve examiners' ability to evaluate the effectiveness of banks' BSA/AML compliance controls with respect to money transmitter accounts. Steps may include providing updates to examination procedures, examiner training, or a combination of methods. (Recommendation 4)

Agency: National Credit Union Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Office of the Undersecretary of Defense (Comptroller) (OUSD[C]) should include an assessment of risks related to contractor ownership as part of its ongoing efforts to plan and conduct a department-wide fraud risk assessment. As part of this assessment, consistent with leading practices, DOD should involve relevant stakeholders with knowledge of emerging risks and use this information to help inform other types of risk assessments across the department, including for national security concerns. (Recommendation 1)

Agency: Department of Defense: Under Secretary of Defense (Comptroller)
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Director of the Permitting Council should incorporate selected best practices we have identified (maintaining the baseline schedule and conducting a risk analysis) into the Permitting Council's process for developing performance schedules for the infrastructure sectors covered under FAST-41. (Recommendation 1)

Agency: Federal Permitting Improvement Steering Council
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should ensure that FCC's Office of Managing Director follows the leading practices in GAO's fraud risk framework related to a dedicated entity's management of its antifraud activities, such as serving as the repository of knowledge on fraud risks and coordinating antifraud initiatives. (Recommendation 1)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was undertaking further improvements of its fraud risk management program consistent with this recommendation. FCC did not indicate a completion date. We will continue to monitor FCC's progress related to establishing a dedicated antifraud management entity.

Recommendation: The Chairman of FCC should plan regular fraud-risk assessments tailored to the high-cost program and assess these risks to determine the program's fraud risk profile, as provided in GAO's fraud risk framework. (Recommendation 2)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was working with the Universal Service Administrative Company (USAC), which is the entity responsible for the day-to-day administration of the high-cost program, to implement this recommendation. FCC stated that USAC will conduct a fraud risk assessment of the high-cost program, but did not specify a time-frame for this effort. We will continue to review FCC and USAC's progress toward completing this assessment, and any steps taken to routinize this assessment.

Recommendation: The Chairman of FCC should design and implement an antifraud strategy for the high-cost program with specific control activities, based upon the results of fraud-risk assessments and a corresponding fraud risk profile, as provided in GAO's fraud risk framework. (Recommendation 3)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was working with the Universal Service Administrative Company (USAC), which is the entity responsible for the day-to-day administration of the high-cost program, to implement this recommendation. FCC reported it will ensure the results of the high-cost program's fraud risk assessment, along with other efforts to implement the GAO fraud risk framework, result in an overall fraud risk strategy. FCC did not indicate a completion date for these efforts, and we will continue to track FCC progress in this area.

Recommendation: The Chairman of FCC should assess the model-based support mechanism to determine the extent to which it produces reliable cost estimates. (Recommendation 4)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that it was considering ways to improve the model-based support mechanism for rate-of-return carriers participating in the high-cost program. FCC did not specify a time-frame for this effort. We will continue to review FCC's efforts related to this recommendation, including FCC efforts, if any, to verify the model's cost estimates.

Recommendation: The Chairman of FCC should consider whether to make use of the model-based support mechanism mandatory depending on the results of the assessment. (Recommendation 5)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that it was considering ways to improve the model-based support mechanism for rate-of-return carriers participating in the high-cost program. FCC indicated that any such improvements may help facilitate the transition of carriers from legacy support mechanisms to the model-based support mechanism. FCC did not provide a time-frame for completion of this effort. We will continue to monitor FCC's progress and efforts in regard to this recommendation.

Recommendation: The Secretary of Veterans Affairs should ensure that the Under Secretary for Memorial Affairs update its cost-estimating procedures for cemetery construction projects to fully incorporate the 12 steps identified in the GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs.

Agency: Department of Veterans Affairs
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of BLM should develop a plan to conduct all required facility security assessments agency-wide, taking into consideration the agency's organizational structure, available resources, and training needs. (Recommendation 1)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: BLM agreed with our recommendation and stated it intends to revise its policy and develop a plan to complete required facility security assessments. As of November 2019, BLM had not yet completed its plan.

Recommendation: The Director of the Park Service should develop a plan to conduct all required facility security assessments agency-wide, taking into consideration the agency's organizational structure, available resources, and training needs. (Recommendation 3)

Agency: Department of the Interior: National Park Service
Status: Open

Comments: Park Service agreed with our recommendation and cited its efforts to develop a plan that includes training and tools so that park unit staff can conduct the required assessments. As of November 2019, Park Service had not yet completed its plan.

Recommendation: The Director of the Park Service should update the agency's facility security assessment methodology to comply with requirements in the ISC Standard, including a step to consider the consequence of each undesirable event. (Recommendation 4)

Agency: Department of the Interior: National Park Service
Status: Open

Comments: Park Service agreed with our recommendation to update its facility security assessment methodology to comply with requirements in the ISC Standard. As of November 2019, Park Service had not yet updated its methodology.

Recommendation: The Director of BLM should develop a facility security assessment methodology that complies with requirements in the ISC Standard to assess all undesirable events and consider all three factors of risk for each undesirable event. (Recommendation 5)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: BLM agreed with our recommendation and said it would revise its policy and develop a facility security assessment methodology that complies with requirements in the ISC Standard. As of November 2019, BLM had not yet developed its methodology.

Recommendation: The Director of FWS should develop a facility security assessment methodology that complies with requirements in the ISC Standard to assess all undesirable events and consider all three factors of risk for each undesirable event. (Recommendation 6)

Agency: Department of the Interior: United States Fish and Wildlife Service
Status: Open

Comments: FWS agreed with our recommendation and cited its efforts to develop a facility security assessment methodology that complies with requirements in the ISC Standard. As of November 2019, FWS had not yet developed its methodology.

Recommendation: The Secretary of Energy should direct DOE's Office of Environmental Management to revise EM's 2017 cleanup policy to establish how the EM program and DOE sites should apply the essential elements of a risk-informed decision-making framework into their current decision-making requirements and guidance. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: In April 2020, DOE officials told us that its Office of Environmental Management (EM) had recently reinvigorated efforts to develop a comprehensive program-wide strategy to address risks in a consistent manner to align cleanup plans and activities with programmatic priorities and available budgets. According to DOE officials, EM plans to revise and replace its 2017 Cleanup Policy with a Cleanup Project Management Protocol and and EM Cleanup Program Management Policy. Officials stated that the Cleanup Program Management Policy will establish an approach for the EM program and DOE sites to apply the essential elements of risk-informed decision-making framework. DOE officials estimated that this effort would be completed by December 31, 2020.

Recommendation: The Secretary of Energy should direct DOE's Office of Environmental Management, in the development of a program management plan, to incorporate essential elements of risk-informed decision-making. (Recommendation 2)

Agency: Department of Energy
Status: Open

Comments: In April 2020, DOE officials told us that DOE's Office of Environmental Management (EM) is developing a new Cleanup Program Management Policy that will incorporate the essential elements of risk-informed decision-making, as appropriate, into EM program management policy. DOE officials estimated that this effort will be completed by December 31, 2020.

Recommendation: The Director of OHS should perform a fraud risk assessment for the Head Start program, to include assessing the likelihood and impact of fraud risks it faces. (Recommendation 1)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open
Priority recommendation

Comments: In February 2020, HHS told us that the Administration for Children and Families (ACF) is developing a Fraud Risk Assessment template for all of its programs (including the Office of Head Start) and is on track to complete the initial Fraud Risk Assessment for its pilot program by June 30, 2020. Upon completion of the Fraud Risk Assessment for the ACF pilot program, ACF anticipates completing its initial Fraud Risk Assessment for OHS, by March 31, 2021. We will assess these actions once completed.

Recommendation: The Director of OHS should establish procedures to monitor and evaluate OHS's new internal workflows for monitoring reviews, to include establishing a baseline to measure the effect of these workflows and identify and address any problems impeding the effective implementation of new workflows to ensure timeliness goals for monitoring reviews are met. (Recommendation 3)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open

Comments: HHS did not concur with this recommendation. In February 2020, HHS stated that OHS regularly evaluates its effectiveness of its workflows to determine how to best adjust the system to support effective follow-up. HHS also stated that, for Fiscal Year 2020, OHS has updated its internal workflow timelines to increase responsiveness to identified findings and ensure grantee support. We will continue to monitor HHS's efforts in this area.

Recommendation: The Director of OHS should provide program-wide guidance on when a student's slot should be considered vacant due to absenteeism. (Recommendation 5)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open

Comments: In February 2020, OHS told us that it is finalizing program guidance that will address when a child's slot should be considered vacant due to absenteeism and what a program should do fill it. OHS stated that it anticipates having a final paper published by summer, 2020. We will continue to monitor OHS's efforts in this area.

Recommendation: The Director of OHS should develop and implement a method for grantees to document attendance and services under EHS pregnancy programs. (Recommendation 6)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open

Comments: In February 2020, OHS told us that it is developing a toolkit of resources specifically designed to offer best practice tips for Early Head Start programs on how to track attendance and services to pregnant women. OHS is surveying the Head Start community to better determine what resources are already available and how programs in different regions and cities track services to pregnant women. OHS anticipates a rollout for the toolkit by summer, 2020.

Recommendation: The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: DOE agreed with our recommendation. In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE's Multiyear Plan for Energy Sector Cybersecurity. To fully address our recommendation, DOE should coordinate with DHS and other relevant stakeholders to develop a plan for implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy.

Recommendation: FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: The Secretary of the Army should ensure that the Deputy Chief of Staff, G-3/5/7 assess the risk associated with staffing, equipping, and training of new units that it plans to activate in an accelerated manner for the purposes of conducting multi-domain operations, taking into consideration the assessments performed on the first activated ICEWS battalion and the 915th Cyber Warfare Support Battalion. (Recommendation 3)

Agency: Department of Defense: Department of the Army
Status: Open

Comments: The Army concurred with this recommendation. In its February 2020 corrective action plan, the Army indicated that it will conduct a FIFA or similar risk assessment in accordance with its policy and procedures before activating any new units for MDO employment. The Army has indicated that it plans to create additional units in support of multi-domain operations in coming years, so we will continue to monitor.

Recommendation: The Secretary of Energy, in coordination with the Administrator of NNSA, should formally communicate to the relevant congressional committees concerns about, and suggested changes to, the enhanced procurement authority in a timely manner. (Recommendation 1)

Agency: Department of Energy
Status: Open

Comments: NNSA agreed with the recommendation. NNSA officials said they submitted an assessment that includes information on suggested changes to the authority to the congressional committees in March 2020. We requested a copy of the assessment and will update the status of this recommendation after we receive and review it.

Recommendation: The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan, which is to include a comprehensive Cybersecurity Strategy. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that its intends to evaluate whether there are any gaps in its cybersecurity policy pertaining to the establishment of an organization-wide cybersecurity risk assessment and will establish a plan to fill in gaps as necessary. The department added that it is making strides in the implementation of a tool that can aggregate data into a dashboard for a unified visibility across the department. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy concurred with this recommendation. As of January 2020, the department stated that it was developing a department-wide risk management plan, to include a risk management strategy, and this would be completed by May 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo that will detail its risk management strategy, including how the department will assess, respond to, and monitor risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services partially concurred with this recommendation. As of January 2020, HHS stated that it is in the process of updating its policies to address the missing elements and plans to finalize the revisions by March 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo and capability model that will include a process for an organization-wide assessment of cybersecurity risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department said it planned to develop a cybersecurity risk management strategy that will determine how cybersecurity risks will be identified, framed, assessed, respond to, and monitored. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it cybersecurity and enterprise risk management teams would establish a process for bi-directional communication and status reporting. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of January 2020, . the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of January 2020, the department stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions in fiscal year 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update its cybersecurity risk management strategy to include the identified missing elements. The Department estimated completing this effort by October 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment. The Department estimated completing this effort by July 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, the department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that it is establishing a process to review, update, and reissue its policies. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would establish a process for conducting an organization-wide cybersecurity risk assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of January 2020, the agency stated that it is working to address gaps in its cybersecurity policy. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with this recommendation. As of January 2020, NASA stated that the agency is in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment. NASA's planned completion date for this effort is September 30, 2020. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)

Agency: Office of Personnel Management
Status: Open

Comments: OPM concurred with this recommendation. As of January 2020, OPM stated that it planned to update its policies to address the missing elements. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with this recommendation. As of January 2020, the office stated that it planned to formalize its process for an organization-wide cybersecurity assessment. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: SBA concurred with this recommendation. As of January 2020, SBA stated that it intends to finalize its process for an agency-wide cybersecurity risk assessment by March 31, 2020. Once SBA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: SSA concurred with this recommendation. As of January 2020, SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams and that this process should be fully established by the third quarter of FY 2020. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to determine and identify in final guidance for middle-tier acquisition programs the metrics that will be used to assess the performance of middle-tier acquisition programs across the military departments, including whether programs are meeting statutory objectives. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation, and stated that it planned to determine performance metrics in coordination with its release of its final guidance on middle-tier programs, which DOD expected to release in late 2019. In December 2019, Congress passed the fiscal year 2020 National Defense Authorization Act. Section 837 in the Conference Report accompanying the Act requires DOD to submit a report to the congressional defense committees no later than December 15, 2019, that includes guidance on the use of middle-tier acquisition authority and the metrics required to assess the performance of such a program, among other topics. DOD's report, provided to Congress in January 2020, identified metrics that DOD planned to use to assess the performance of these programs. The Office of the Under Secretary of Defense for Acquisition and Sustainment subsequently leveraged these metrics in its March 2020 bi-annual review of middle-tier acquisition programs to assess program execution. However, DOD has yet to identify these metrics in guidance as we recommended, which we continue to believe is important to facilitate consistent reporting across the military departments and DOD components.

Recommendation: The Secretary of Defense should develop a plan for how the department will assess the effect of recent acquisition reforms, including identifying who will be responsible for the assessment and what data will be needed. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation, and stated that it has included a division in the Office of the Assistant Secretary of Defense for Acquisition to analyze the effect of recent acquisition reforms and other high-level oversight and policy issues. In December 2019, Congress took additional action. The Conference Report accompanying the fiscal year 2020 National Defense Authorization Act required DOD to submit a report with the budget for fiscal year 2021 on the progress of implementing acquisition reform initiatives. In response, DOD provided a report to Congress in March 2020 that includes how the Secretary will identify, quantify, assess and manage program risk, describes changes to DOD's data collection and sharing processes, and describes new acquisition frameworks to be implemented. However, the report does not address how DOD will assess the acquisition reforms, what data is needed, or who is responsible. Additionally, in August 2020, the Assistant Secretary of Defense approved a plan for assessing the implementation of new acquisition pathways at DOD. However, DOD is still identifying the specific data needed to assess each acquisition pathway, as well as determining how to assess the remaining acquisition reforms we covered in our June 2019 report. Therefore, we will continue to monitor DOD efforts to implement this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: As of May 2020, the Bureau's program risk registers included a clear indication of the status of mitigation plans; however, the Bureau's portfolio risk register did not, without which there was not a clear indication of which portfolio risk mitigation plans had been approved by management. As of August 2020, the Bureau's portfolio risk register also included a clear indication of mitigation plan status. At that time, we reviewed the Bureau's program and portfolio risk registers to determine whether the Bureau had developed and obtained management approval of mitigation and contingency plans for all risks that required them. We found six risks that met the Bureau's requirements for a contingency plan but did not have an approved contingency plan in place. We notified the Bureau and asked them to ensure that approved mitigation and contingency plans were in place for all risks that required them. We will continue to monitor the Bureau's actions to implement this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In July 2020, the Bureau updated its decennial risk management plan and, in doing so, implemented this recommendation for six of the seven key attributes we identified. The missing attribute was monitoring plans: a description in each mitigation and contingency plan of how the agency will monitor the risk response-with performance measures and milestones, where appropriate-to help track whether the plan is working as intended. According to Bureau officials, rather than requiring this attribute, they instead noted it as a lesson learned for the 2030 Census and documented it in their knowledge management tool. In August 2020, we requested documentation of these actions. Once received, we will assess whether these actions suffice to close the recommendation.

Recommendation: EXIM's chief operating officer should direct EXIM's Credit Review and Compliance Division to assess and document the practicality of incorporating into its preauthorization Character, Reputational, and Transaction Integrity (CRTI) reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants, and, if practical, implement relevant approaches—such as manual searches or batch matching. (Recommendation 1)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In June 2020, we met with EXIM to discuss its efforts to assess the practicality of incorporating into its preauthorization CRTI reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants. Prior to the discussion, EXIM provided some information on its efforts. As part of the June 2020 discussion, we requested that EXIM provide additional information on its assessment. EXIM agreed to do so. We will provide an update on the status of this recommendation when we confirm what actions EXIM has taken in response to this recommendation.

Recommendation: EXIM's chief operating officer should direct EXIM's Credit Review and Compliance Division to assess and document the practicality of incorporating into its postauthorization CRTI reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants and participants, and, if practical, implement relevant approaches—such as manual searches or batch matching. (Recommendation 2)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In June 2020, we met with EXIM to discuss its efforts to assess the practicality of incorporating into its postauthorization CRTI reviews searches of data elements in SAM that indicate delinquent federal debts owed by applicants and participants. Prior to the discussion, EXIM provided some information on its efforts. As part of the June 2020 discussion, we requested that EXIM provide additional information on its assessment. EXIM agreed to do so. We will provide an update on the status of this recommendation when we confirm what actions EXIM has taken in response to this recommendation.

Recommendation: The Administrator of the Food and Nutrition Service should establish a process to plan and conduct regular fraud risk assessments for the school meals programs that align with the leading practices in the Fraud Risk Framework. (Recommendation 1)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: As of September 12, 2019, USDA stated that it will undertake, over the course of the next year, a re-evaluation of its existing research and oversight activity to measure and assess fraud risk, its efforts to manage that risk, and its work to minimize the occurrence and impact of fraudulent activity on the school meal programs. USDA also stated that it will look to GAO's Fraud Risk Framework as a model for this effort. USDA expects this effort to include some new activity, such as a deeper examination of the underlying causes of program error in the agency's periodic studies of improper payments. USDA also views this as an opportunity to clarify and highlight how the agency's existing approach to risk management currently addresses fraud risk. USDA agrees that it is appropriate to review and refine its existing controls on a regular basis and recognizes that a more formalized assessment of fraud risk is likely to uncover gaps in existing activity that point to opportunities for further agency action. USDA commits to the development of a response to the effort that is appropriate to the scale of the identified risk and the broader mission of the school meal programs. In September 2020, USDA stated that it has been reviewing agency research and administrative data, as well as conducting new analysis. USDA is concluding work on its risk assessment and plans to circulate it within the agency for review soon. We will continue to monitor USDA's progress in this area.

Recommendation: The Director of the Division of Risk Management Supervision of FDIC should take steps to improve the completeness of matters requiring board attention (MRBA) data in its tracking system, in particular, by developing a structure that allows examiners to record MRBAs at progressively more granular levels (from a broad level such as examination area to more specific levels, including risk or concern type). (Recommendation 3)

Agency: Federal Deposit Insurance Corporation
Status: Open

Comments: FDIC agreed that a structure should be enhanced to allow staff to further categories MRBAs at the point of entry into the system. As of March 2020, no action has been taken on this recommendation. GAO will continue to monitor for any updates to FDIC procedures.

Recommendation: The Chairman of NRC should direct NRC staff to consider socioeconomic consequences and fatalities from evacuations in the criteria for determining what security measures should be required for radioactive materials that could be used in an RDD. (Recommendation 1)

Agency: Nuclear Regulatory Commission
Status: Open
Priority recommendation

Comments: NRC disagreed with this recommendation, and NRC did not provide us with documentation of any actions it plans to take to implement this recommendation. NRC maintains that the current regulatory requirements provide for the safe and secure use of all radioactive materials, regardless of category. We disagree with NRC's assessment. We continue to believe that by implementing our recommendation NRC would have better assurance that it was considering more likely and more significant consequences of an RDD when establishing its security requirements for this material. We encourage NRC to take action to implement this recommendation.

Recommendation: The Chairman of NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material, and assess whether other category 3 materials should also be safeguarded with additional security measures. (Recommendation 2)

Agency: Nuclear Regulatory Commission
Status: Open
Priority recommendation

Comments: NRC neither explicitly agreed nor disagreed with this recommendation, but stated that it would consider our recommendation as part of a working group the agency has established. The working group provided a staff analysis on these issues to the Commission in August 2017, but NRC has not updated this analysis taking into account the new information we provided in our April 2019 report. We continue to believe that implementing our recommendation would provide greater assurance that NRC's requirements are sufficient to help ensure all high-risk radioactive material are protected from theft and use in an RDD. We encourage NRC to take action to implement this recommendation.

Recommendation: The Chairman of NRC should require all licensees to implement additional security measures when they have multiple quantities of category 3 americium-241 at a single facility that in total reach a category 1 or 2 quantity of material. (Recommendation 3)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with this recommendation. NRC maintains that the issue of aggregation of radioactive material has already been considered and NRC has taken or is in the process of taking actions to clarify relevant guidance and procedures. We disagree with NRC's assessment. We believe that by implementing our recommendation NRC would have better assurance that licensees are not storing multiple quantities of category 3 americium-241 at a single facility that in total reach a category 1 or 2 quantity of material.

Recommendation: The Administrator of TSA should assess Security Operations guidance for applying root causes for test failures, and identify opportunities to clarify how they should be applied. (Recommendation 4)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it. In March 2020, TSA officials reported that they are developing new guidance to help testers identify and record root causes for covert test failures. Once TSA completes this guidance and GAO has been provided a copy for review, we will close this recommendation.

Recommendation: The Director of ICE should build on existing efforts to use data analytics by employing techniques, such as network analysis, to identify potential fraud indicators in schools petitioning for certification. (Recommendation 2)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should develop an implementation plan for the project aimed at strengthening background checks for DSOs; that plan should outline how the project will be executed, monitored, and controlled. (Recommendation 5)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should implement mandatory DSO training and verify that the training is completed. (Recommendation 6)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should complete the development and implementation of its plans for mandatory fraud-specific training for DSOs. (Recommendation 7)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of State should ensure that the Director of the Office of U.S. Foreign Assistance Resources provides missions with guidance that clearly documents the department's process for climate change risk assessments for integrated country strategies. (Recommendation 1)

Agency: Department of State
Status: Open

Comments: As of January 2020, the Department of State has revised its integrated country strategy guidance to inform posts that they have the option to include a climate risk assessment annex when they change or update their strategies. State noted that they plan to disseminate this guidance to posts in 2020.

Recommendation: The Secretary of Health and Human Services should revise HHS's process for conducting improper payment risk assessments for Head Start to help ensure that it results in a reliable assessment of whether the program is susceptible to significant improper payments. This should include preparing sufficient documentation to support its risk assessments. (Recommendation 1)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services (HHS) concurred with this recommendation. In fiscal year 2019, HHS reported that it utilized Microsoft SharePoint to facilitate and begin to automate the Improper Payment Risk Assessment process. According to HHS, the SharePoint risk assessment form included the added ability to track the status of submissions and collect any applicable supporting documentation. Also, HHS stated that the Assistant Secretary for Financial Resources staff discussed the importance of maintaining supporting documentation during the fiscal year 2019 Improper Payment Risk Assessment Kick-Off meeting with HHS's operating divisions, and also built this feature into the SharePoint form. In fiscal year 2020, HHS reported that the implementation of the long-term solution to conducting improper payment risk assessments, the Risk Assessment Portal (previously called the Automated Improper Payment Framework), is underway and went into production in March 2020. Additionally, HHS indicated that it has revised its improper payment questionnaire and scoring process to ensure HHS performs a reliable assessment of susceptibility to significant improper payments. Also, HHS stated that it will leverage the Risk Assessment Portal, new questionnaire, and revised scoring process in the fiscal year 2020 risk assessment reporting period. Further, HHS stated that it is reviewing GAO reports and resources, capturing best practices from other agencies, and soliciting feedback from HHS's operating divisions to further improve its processes. Last, HHS stated that it will continue to develop policies, procedures, and supporting tools throughout calendar year 2020. We will continue to monitor the agency's actions to address this recommendation.

Recommendation: The Secretary of Health and Human Services should revise HHS's procedures for conducting improper payment risk assessments to help ensure that all programs and activities are assessed for susceptibility to significant improper payments at least once every 3 years, as required by IPIA. (Recommendation 2)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services (HHS) concurred with this recommendation. In fiscal year 2019, HHS reported that it utilized DATA Act information to create an inventory of programs and activities that could potentially be subject to improper payment risk assessment requirements. According to HHS, it developed a risk-based methodology for selecting programs and activities for review using the DATA Act files. Data fields within the DATA Act files allow HHS to further analyze the program and activity inventory. For example, the object class data enabled HHS to categorize the program's spending to provide insight into each program's unique risks. HHS stated that this methodology was used and documented in fiscal year 2019 but HHS plans to further refine and finalize this approach. In fiscal year 2020, HHS reported that its Office of the Inspector General (OIG) is currently reviewing the methodology as part of the Annual Inspector General review of HHS's improper payment reporting under the Improper Payments Elimination and Recovery Act of 2020. HHS stated that it will implement any feedback from the OIG, as well as lessons learned from the fiscal year 2019 and fiscal year 2020 risk assessment reporting period, in fiscal year 2021. We will continue to monitor the agency's actions to address this recommendation.

Recommendation: The Attorney General should revise DOJ's process for conducting improper payment risk assessments for Law Enforcement to help ensure that it results in a reliable assessment of whether the program is susceptible to significant improper payments. This should include preparing sufficient documentation to support DOJ's risk assessments. (Recommendation 4)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: The Department of Justice (DOJ) did not concur with this recommendation. In January 2020, DOJ reiterated that it continues to not concur with the recommendation. DOJ stated that its risk assessment methodology provides DOJ management with a reasonable basis for determining whether the law enforcement program, as well as DOJ's other four mission-aligned programs, are susceptible to significant improper payments. In addition, DOJ reiterated that it continues to not concur with GAO's conclusion that DOJ's risk assessment documentation is not adequate. DOJ stated that its documentation meets all of the requirements in the Improper Payments Information Act of 2002 (IPIA), as amended, and the Office of Management and Budget's (OMB) implementing guidance. Therefore, DOJ stated that it does not believe it would be a prudent use of limited resources to expand on the documentation that already exists. DOJ stated that notwithstanding its differences from GAO on the recommendation, it will continue to examine its risk assessment methodology. Finally, DOJ stated that its goal has been, and continues to be, meeting the requirements of IPIA, as amended, and OMB's implementing guidance in a cost effective manner. We continue to believe this recommendation is appropriate because DOJ's risk assessment documentation did not adequately demonstrate how DOJ determined the weighting of the risk factors or the numerical risk level ranges or whether a program is or is not susceptible to significant improper payments. We will continue to monitor the agency's actions to address the recommendation.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to clarify TSA's Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA reported that it completed a review of the Pipeline Security Guideline criteria for determining critical facilities. TSA sought and received pipeline stakeholder comments following their review of the criteria. According to TSA officials, TSA is sharing draft criteria with federal stakeholders and anticipates completion of the review by December 31, 2020. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should develop a strategic workforce plan for its Security Policy and Industry Engagement's Surface Division, which could include determining the number of personnel necessary to meet the goals set for its Pipeline Security Branch, as well as the knowledge, skills, and abilities, including cybersecurity, that are needed to effectively conduct Corporate Security Reviews (CSR) and Critical Facility Security Reviews (CFSR). (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open
Priority recommendation

Comments: As of June 2020, TSA reported that officials, including TSA's Office of Human Capital Strategic Planning, began collaborating to draft a strategic workforce plan for the pipeline security section of TSA. According to the officials, while this effort was delayed as TSA's Office of Human Capital needed focus on protecting TSA's workforce in response to the COVID-19 public health emergency, progress has been made. Phase one of a four-phase process began the week of 6/8/2020, with a Manpower Study to be completed by October 2020. The second phase will be a job skills/competency analysis and the third and fourth phases are position management and classification, and plan development and approval, respectively. TSA estimated completion of the workforce plan by June 30, 2021. We will continue to monitor the status of these efforts to develop a strategic workforce plan in response to this recommendation.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to identify or develop other data sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities and incorporate that data into the Pipeline Relative Risk Ranking Tool to assess relative risk of critical pipeline systems, which could include data on prior attacks, natural hazards, feedback data on pipeline system performance, physical pipeline condition, and cross-sector interdependencies. (Recommendation 6)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA officials reported meeting with representatives from the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) in February and March 2019 for their input on the identification of sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities. TSA officials also reported meeting with RAND personnel in March 2020 to discuss possible contract options for addressing this recommendation. Further action on this recommendation has been limited due to work on the COVID-19 response. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool, after the Pipeline Security Branch completes enhancements to its risk assessment approach. (Recommendation 7)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, DHS officials reported that TSA will take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool after addressing recommendations 4,5, and 6 of this report. DHS estimated that this effort would be completed by April 30, 2021.

Recommendation: The Director of OMB should take steps to update OMB guidance to specify other types of quality information that agencies with programs noncompliant for 3 or more consecutive years should include in their notifications to Congress, such as significant matters related to risks, issues, root causes, measurable milestones, designated senior officials, accountability mechanisms, and corrective actions or strategies planned or taken by agencies to achieve compliance. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: The Office of Management and Budget (OMB) neither agreed or disagreed with the recommendation but stated that it had no comments. In January 2020, OMB informed us that it had no status updates to provide at this time. We will continue to monitor agency's actions to address this recommendation.

Recommendation: FERC should provide standard language and procedures to its staff on how to record information collected during inspections, including how and where to record information about safety deficiencies, in order to facilitate analysis of safety deficiencies across FERC's portfolio of regulated dams. (Recommendation 1)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In February 2020, GAO confirmed that FERC had developed new standard operating procedures related for tracking deficiencies and follow-up items arising from dam safety inspections and other dam safety reviews. In addition, FERC told GAO that they plan to update their tracking system beginning in fiscal year 2021, which will facilitate the complete recording and subsequent analysis of safety deficiencies from inspections across FERC's portfolio of regulated dams. GAO will continue to monitor FERC's efforts to implement this recommendation.

Recommendation: FERC should use information from its inspections to assess safety risks across its portfolio of regulated dams to identify and prioritize safety risks at a national level. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In January 2019, FERC told GAO that it had begun developing a screening-level risk-assessment program to assess safety risks across the inventory of regulated dams and to help guide safety decisions. In February 2020, GAO confirmed that FERC had completed this screening-level risk assessment, and conducted some preliminary analysis of the results. In addition, FERC told GAO that the results of the screening level risk analyses will be used to revise the potential timing, frequency, and technical disciplines represented on dam safety inspections; to confirm or revise the urgency of existing and potential new follow up dam safety actions; and to identify previously unrecognized dam safety concerns and issues; to identify new dam safety priorities. GAO will continue to monitor FERC's efforts to implement this program.

Recommendation: The Administrator of SBA should conduct and document reviews of staff compliance with procedures associated with HUBZone certification and recertification. (Recommendation 2)

Agency: Small Business Administration
Status: Open

Comments: In January 2020, SBA officials told us that the agency is re-aligning resources and developing standards to reflect new processing times for certifications and recertifications, which will include revised employee performance elements and quarterly performance reviews. When SBA has completed these changes, we will assess whether the agency is conducting and documenting reviews of staff compliance.

Recommendation: The Secretary of Veterans Affairs should ensure that VA's Director of the Office of Acquisition and Logistics, in consultation with VA's Office of Small and Disadvantaged Business Utilization, takes measures to ensure that VA contracting staff adhere to the requirements for documenting the required Vendor Information Pages searches in contract files. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation and is taking steps to implement it. In August 2020, VA reported that it was beginning a process to update its contracting system to automate the inclusion of documentation of Vendor Information Pages searches in contract files. VA is also now tracking compliance rates. VA plans to provide GAO an update in fall 2020.

Recommendation: The Secretary of Veterans Affairs should ensure that the Director of the Office of Acquisition and Logistics conducts a fraud risk assessment for the Veterans First program. (Recommendation 5)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation and is taking steps to implement it. In August 2020, VA provided GAO with a draft fraud risk assessment, and also reported that it is developing measures to mitigate identified risks. VA has not yet provided a date by which it plans to finalize its risk assessment and risk mitigation measures.

Recommendation: The Secretary of Veterans Affairs should ensure that the Director of the Office of Acquisition and Logistics directs the Risk Management and Compliance Service to share, through guidance, training, or other methods, subcontracting limitation risks and monitoring practices with contracting officers and their management. (Recommendation 6)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation and is taking steps to implement it. In August 2020, VA provided draft lists of subcontracting limitations risks, as well as draft monitoring guidance and tools. After these items are finalized, VA plans to post them on a portal accessible to all VA contracting staff, but has yet to provide a date by which it expects to take this step.

Recommendation: The Administrator of the U.S. Seaway Corporation should establish a process to identify, analyze, and monitor risks to the system's use to inform future actions to address those risks. (Recommendation 1)

Agency: Department of Transportation: Saint Lawrence Seaway Development Corporation
Status: Open

Comments: As of August 2020, DOT reported that the St. Lawrence Seaway Development Corporation (SLSDC) is in the process of completing development of its new risk management program and anticipates having a final product that will be implemented by the end of 2020. GAO will continue to monitor the SLSDC's progress in implementing this recommendation.

Recommendation: The Assistant Secretary for Countering Weapons of Mass Destruction should develop a strategy and implementation plan to help the Department of Homeland Security, among other things, guide, support, integrate and coordinate its chemical defense programs and activities; leverage resources and capabilities; and provide a roadmap for addressing any identified gaps. (Recommendation 1)

Agency: Department of Homeland Security: Countering Weapons of Mass Destruction Office
Status: Open
Priority recommendation

Comments: DHS agreed with GAO's September 2018 recommendation and is taking actions to address it. Countering Weapons of Mass Destruction Office (CWMD) officials stated in December 2018 that CWMD plans to develop a strategy and implementation plan to help DHS guide, support, integrate and coordinate its chemical defense programs and activities; leverage resources and capabilities; and provide a roadmap for addressing any identified gaps. According to CWMD officials, the implementation plan would broadly address DHS chemical defense activities and programs to prevent, protect against, and respond to chemical incidents, including support to federal, state, tribal, and territorial operators and agencies, as well as the private sector. CWMD officials provided GAO with the completed strategy in December 2019 and plan to complete the implementation plan by December 2020. The strategy includes four overarching goals that will drive CWMD's mission in protecting American safety and security from chemical threats and incidents. We will continue to monitor the status of the implementation plan, as completion of both documents is essential to help the CWMD Office guide DHS's efforts to address fragmentation and coordination issues and would be consistent with the office's aim to establish a coherent mission.

Recommendation: The Director of DHS's National Protection and Programs Directorate's Infrastructure Security Compliance Division (ISCD) should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and has taken steps to implement and monitor two new performance metrics intended to better demonstrate the CFATS program's effectiveness in enhancing national security and reducing national risk. Specifically, according to DHS, these new performance metrics allow for the (1) evaluation of the progress individual facilities have made in enhancing their security while part of the CFATS program, and (2) comparison of the security measures employed by CFATS-covered chemical facilities upon first entering the program against the improved and enhanced security measures contained in their approved CFATS security plans. DHS began reporting the two measures, "Average score of approved Site Security Plans" and "Average score of initial Site Security Plans", for the first quarter of fiscal year 2019. DHS stated that these measures will be used to demonstrate the percent increase in security score of facilities' security plans, resulting in a representation of the increase in the security posture across the facility population, which will be used internally to assess progress. GAO continues to monitor the results of these two new performance metrics.

Recommendation: The Administrator of CMS should complete a comprehensive, national risk assessment and take steps, as needed, to assure that resources to oversee expenditures reported by states are adequate and allocated based on areas of highest risk. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: CMS has taken steps to conduct a comprehensive national risk assessment. As of October 2019, CMS had developed a standard tool to assess risk and staff capacity. The agency indicated that once the assessment is complete, CMS will identify opportunities to increase resources, review the current allocation of financial staff, and determine the appropriate allocation of staff by state. We will continue to monitor CMS's action to complete this assessment.

Recommendation: The Administrator of CMS should clarify in internal guidance when a variance analysis on expenditures with higher match rates is required. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: In October 2019, CMS indicated that the agency held meetings to clarify internal guidance on the variance analysis and is the process of drafting updated guidance for the CMS-64 review. We will continue to monitor CMS's actions to update the guidance.

Recommendation: The Administrator of CMS should revise the sampling methodology for reviewing expenditures for the Medicaid expansion population to better target reviews to areas of high risk. (Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: In October 2019, CMS indicated that given their current resources, they believe the sampling methodology is sufficient and have no plans to revise it. The agency noted that the current methodology requires a minimum sample size but gives reviewers the flexibility to expand the size of the sample if warranted by risk and as resources permit. We continue to believe that the current methodology does not sufficiently target areas of high risk.

Recommendation: The Under Secretary for Health should work with the Department of Veterans Affairs (VA's) Office of Construction and Facilities Management to ensure that VHA incorporates the 12 steps in the GAO Cost Estimating and Assessment Guide in VHA's updated construction projects' cost-estimating guidance. (Recommendation 1)

Agency: Department of Veterans Affairs: Veterans Health Administration
Status: Open

Comments: The Office of Capital Asset Management Engineering and Support (OCAMES) is working with the Office of Construction and Facility Management (OCFM) to make necessary updates to CFM's Cost Estimating and Assessment Guide. GAO has reviewed VA's revisions and found that while they incorporated information on two of the 12 steps in GAO's Cost Estimating and Assessment Guide, the guidance currently meets or substantially meets only 4 of the 12 steps. GAO met with OCFM and OCAMES staff in April 2020 to further discuss our guidance and how to apply it. The VA staff will consider how to further apply our guidance.

Recommendation: The Under Secretary for Health should obtain information on cost increases, schedule delays, and reasons for contract modifications in its updated Capital Asset Database through requiring medical center staff to provide the information or another appropriate method. (Recommendation 5)

Agency: Department of Veterans Affairs: Veterans Health Administration
Status: Open

Comments: OCAMES is finalizing updates and fixing issues related to improvements to the Capital Asset Database; these updates include additional information related to change orders. Due to unexpected challenges with data connections and issues; however, these improvements have not yet been completed. The change in completion date is caused by data connection issues and progress on the overall system was stalled. GAO will continue to monitor VA's progress in implementing this recommendation.

Recommendation: The Under Secretary for Health should develop a comprehensive plan that includes elements such as milestones and roles and responsibilities for updating VHA's Capital Asset Database. (Recommendation 6)

Agency: Department of Veterans Affairs: Veterans Health Administration
Status: Open

Comments: OCAMES is still finalizing updates and fixing issues related to improvements to the Capital Asset Database. Until the updates have been finalized, roles and responsibilities cannot be created. Upon completion of updates, roles and responsibilities will be developed.

Recommendation: The Administrator of CMS should eliminate impediments to collaborative audits in managed care conducted by audit contractors and states, by ensuring that managed care audits are conducted regardless of which entity--the state or the managed care organization--recoups any identified overpayments. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open
Priority recommendation

Comments: CMS agreed with and has taken some steps to address this action, as recommended by GAO in July 2018. In September 2019, CMS reported that in July 2019 CMS held a meeting with states and collaborative audit contractors to discuss coordination of managed care audits, including a wide range of challenges with managed care audits. As result of the feedback and recommendations received, CMS is evaluating several process improvements and reiterated that audit contractors will continue to work with states to provide support and assistance in Medicaid managed care, and that Medicaid managed care audits should not be limited by MCO contract language. Although CMS has communicated to states the need to increase audits in managed care and address identified issues, it is unclear if these actions will remove known impediments to managed care audits or result in an increase in the number of collaborative audits. Implementing GAO's July 2018 recommendation is needed because few audits of Medicaid managed care have been conducted and overpayments can be significant based on the findings from federal and state audits and investigations that have been completed. .

Recommendation: The Commandant of the Coast Guard should work with Congress to include in the Coast Guard's annual 5-year CIP a discussion of the acquisition programs it prioritized that describes how trade-off decisions made could affect other acquisition programs, such as by delaying recapitalization efforts or needing to conduct Service Life Extension Projects for legacy assets. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: The Coast Guard agreed with this recommendation and in August 2019 officials reported that the Coast Guard is working with DHS to include additional information that addresses how trade-off decisions made could affect other major acquisition programs in future CIP reports. It anticipates including this information in the FY 2021-2025 CIP, which it expects to release in late summer 2020.

Recommendation: The Commandant of the Coast Guard should require the Executive Oversight Council, in its role to facilitate a balanced and affordable acquisition portfolio, to annually review the acquisition portfolio collectively, specifically for long-term affordability. (Recommendation 2)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: The Coast Guard disagreed with this recommendation stating that other bodies within the Coast Guard--such as the Investment Board, Deputies Council, and Investment Review Board--are responsible for making decisions regarding out-year funding, while the Executive Oversight Council works outside of the annual budget process. DHS also stated that, to meet the spirit of our recommendation, the Coast Guard will update the Executive Oversight Council's charter to require a review of the collective acquisition portfolio, specifically evaluating long-term planning. We believe that updating the Executive Oversight Council's charter to include long-term-planning is a positive step. However, we continue to believe that in addition to long-term planning, the Executive Oversight Council should include the major acquisition portfolio's budget realities faced by the Coast Guard in its reviews, or long-term affordability. If the planning accounts for long-term funding considerations to achieve the Coast Guard's acquisition goals and objectives, we believe the intent of our recommendation would be met. The Coast Guard expects to complete the update of the EOC charter by by late summer 2020.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank evaluates and implements methods to further promote and sustain an antifraud tone that permeates the Bank's organizational culture, as described in GAO's Fraud Risk Framework. This should include consideration of requiring training on fraud risks relevant to Bank programs, for new employees and all employees on an ongoing basis, with the training to include identifying roles and responsibilities in fraud risk management activities across the Bank. (Recommendation 1)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM told us it continues work in this area and will provide us information on this work as it is completed. We will continue to monitor EXIM's progress in this area.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank develops and implements an antifraud strategy with specific control activities, based upon the results of fraud risk assessments and a corresponding fraud risk profile, as provided in GAO's Fraud Risk Framework. (Recommendation 4)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM told us it was in the final stages of its process for completing its antifraud strategy. We will continue to monitor EXIM's efforts in this area.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank identifies, and then implements, the best options for sharing more fraud-related information--including details of fraud case referrals and outcomes--among Bank staff, to help build fraud awareness, as described in GAO's Fraud Risk Framework. (Recommendation 5)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM stated that it is continuing to work with its Inspector General to implement this recommendation. We will continue to monitor EXIM's progress in this area.

Recommendation: The acting Bank president and Board chairman should lead efforts to collaborate with the Bank's OIG to identify a feasible, cost-effective means to systematically track outcomes of fraud referrals from the Bank to the OIG, including creating a means to link the OIG's proven cases of fraud to the specific Bank transactions from which the OIG actions arose. If any such means are found to be feasible and cost-effective, the acting Bank president and Board chairman should direct appropriate staff to implement them, with such information to be used for purposes consistent with GAO's Fraud Risk Framework, such as data analytics. (Recommendation 6)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM stated that it is continuing to work with its Inspector General to implement this recommendation. We will continue to monitor EXIM's progress in this area.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank monitors and evaluates outcomes of fraud risk management activities, using a risk-based approach and outcome-oriented metrics, and that it subsequently adapts antifraud activities or implements new ones, as determined to be appropriate and consistent with GAO's Fraud Risk Framework. (Recommendation 7)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM stated that it is continuing work to implement this recommendation. We will continue to monitor EXIM's progress in this area.

Recommendation: The NASA Associate Administrator for Human Exploration and Operations should direct the Commercial Crew Program to include the results of its schedule risk analysis in its mandatory quarterly reports to Congress. (Recommendation 1)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA did not concur with our recommendation that the Commercial Crew Program should include the results of its schedule analysis in its quarterly reports to Congress. In July 2019, NASA reaffirmed that it will be working to ensure that the contractors' schedules and the program's internal assessments sync up as the program gets closer to launch, which is the process it used in March 2019 leading up to SpaceX's uncrewed test flight. GAO continues to believe that the recommendation is valid because the program's schedule risk analysis would provide Congress with valuable insight into potential delays, which are likely.

Recommendation: The NASA Administrator should develop and maintain a contingency plan for ensuring a presence on the ISS until a Commercial Crew Program contractor is certified. (Recommendation 2)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA agreed with this recommendation. NASA stated that it is in discussions with Russia to obtain additional seats on its Soyuz spacecraft for NASA crew as a contingency plan. NASA is also providing Extra-Vehicular Activity and robotics training for a subset of cosmonauts to support U.S. Operating Segment operations, and looking at a possible extension of the duration of the Space X Demonstration 2 crewed test flight. In November 2019, NASA reported that it completed its actions for this recommendation. However, while NASA is working on potential solutions, there is no contingency plan in place. To fully implement this recommendation, NASA needs to provide documentation of its contingency plan.

Recommendation: The NASA Administrator should direct the Chief of Safety and Mission Assurance, the NASA Associate Administrator for Human Exploration and Operations, the Commercial Crew Program Manager, and the Commercial Crew Program Contracting Officer to collectively determine and document before the agency certification review how the agency will determine its risk tolerance level with respect to loss of crew. (Recommendation 3)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA partially concurred with our recommendation, stating it documented the agency's risk tolerance level with respect to loss of crew for the program in its May 2011 safety memo. NASA stated that ultimately the Commercial Crew Program is accountable for ensuring that the contractors' systems meet the loss of crew value of 1 in 270. In July 2019, the Commercial Crew Program noted that it will continue to determine its risk tolerance with respect to loss of crew and formally document its decisions at program management meetings. We continue to believe that, before agency certification, the key parties must collectively determine how the agency will determine its risk tolerance with response to loss of crew, as the risk tolerance for the loss of crew requirement depends on which entity is presenting the results of its analysis. We believe this approach will reduce confusion and increase transparency. In late September 2020, GAO received additional information from NASA on actions taken to implement this recommendation. We are currently assessing this information.

Recommendation: After completing the agency certification review, NASA's Chief Engineer and Chief of Safety and Mission Assurance, with support from the NASA Associate Administrator for Human Exploration and Operations and the Commercial Crew Program Manager, should document lessons learned related to loss of crew as a safety threshold for future crewed spaceflight missions, given the complexity of the metric. (Recommendation 4)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation to document lessons learned related to the loss of crew requirement. In June 2020, NASA told us that they expect to take action to close this recommendation by the end of May 2021.

Recommendation: As MIBP moves forward with its plans to improve data collection and analysis, the Deputy Assistant Secretary for Defense, Manufacturing and Industrial Base Policy should determine a solution to make better use of existing lower-tier supplier information from program offices. (Recommendation 1)

Agency: Department of Defense: Office of the Under Secretary of Defense for Acquisition, Technology and Logistics: Office of Manufacturing and Industrial Base Policy: Deputy Assistant Secretary of Manufacturing and Industrial Base Policy
Status: Open

Comments: DOD partially concurred with this recommendation, noting that it plans to takes steps to identify and incorporate available supplier data from across the department into its defense industrial base data system, but noted that they only planned to rely on one data system, DIBNow, instead of continuing to develop its second data system, the Defense Planning Guidance Input and Retrieval System. The Industrial Policy Office, formerly Manufacturing and Industrial Base Policy, has taken some steps to improve sharing of industrial base analysis information across the Department, such as establishing a web repository of industrial base assessment information and subject matter expert contacts. However, these sharing tools continue to rely primarily on summary narratives and Industrial Policy has not incorporated program office lower-tier supplier data into this web repository or DIBnow. Industrial Policy has incorporated sub-tier supplier information into DIBnow from commercial industry sources, but these sources do not have the same level of insight into the supply chain as program offices. An Industrial Policy official said there are no plans to incorporate supply chain information from program offices because this information is proprietary and therefore cannot be incorporated into DIBnow, which is built and maintained by a contractor. DOD General Counsel has determined that contractors cannot have access to this proprietary information for the purposes of DIBnow. We continue to believe that program offices have the most complete insight into sub-tier suppliers, which is essential for DOD to achieve its goal of proactive industrial base risk analysis. Industrial Policy should continue to pursue risk reductions solutions, such as non-disclosure agreements and/or data masking, to make better use of existing lower-tier supplier information from program offices.

Recommendation: The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA did not concur with this recommendation. As of October 2019, the agency reported that the Office of the Chief Information Officer was beginning its involvement with the agency's Mission Support Architecture Program which aims at re-aligning mission support functions from a decentralized model to an enterprise model. The office's participation in the re-alignment effort has an estimated completion date in fiscal year 2023.

Recommendation: The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. In February 2020, NASA reported that the agency remained committed to taking action to address this recommendation and reported that the Office of the Chief Information Officer had established a process to govern IT investment funds and had planned additional modifications for that framework. The agency now expects to complete actions to address this recommendation by November 2020.

Recommendation: The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria. In April 2019, NASA provided copies of its updated guidance. Among other things, the guidance described criteria for the portfolio and defined policies and procedures for creating the portfolio. As of April 2020, the agency had not yet provided evidence that it had developed policies and procedures for evaluating the portfolio. We plan to continue following up on the status of efforts to address this recommendation.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. As of September 2020, NASA reported that it intends to deliver a cybersecurity risk management strategy that addresses the elements outlined in this recommendation by 2021.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of September 2020, NASA reported that the Chief Information Officer had initiated a review of the agency's cyber policy management framework and that any related updates were expected to be completed by 2021.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the FSM compact trust fund committee, works with other members of the committee to develop a distribution policy for the FSM compact trust fund, as required by the compact trust fund agreement, that takes into account potential strategies that could address risks to the fund's ability to provide a source of income after fiscal year 2023. (Recommendation 1)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and set a target date for implementation of October 1, 2023. In July 2018, Interior stated that the trust fund committees were in discussions related to identifying the parameters and principles for a distribution policy and formula(s) to calculate the distribution prior to preparing the text of a distribution policy, and that representatives from Interior and the State Department would discuss our recommendations with the trust fund committees. According to the Trust Fund Administrator and Interior, the distribution policy was discussed at subsequent trust fund committee meetings, and trust fund representatives met with FSM representatives in January 2019 to discuss the status of the trust fund and future scenarios for its management. GAO observed the FSM trust fund committee's September 2019 meeting. At the meeting, the trust fund adviser presented a presentation to the committee that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement. However, the FSM compact trust fund committee did not make any decisions regarding steps to address our recommendations. At the meeting, an FSM representative on the FSM compact trust fund committee stated that the FSM's Joint Compact Review and Planning Committee (JCRP) had appointed a chief negotiator and, in light of this appointment, the FSM compact trust fund members would not be taking a position on a distribution policy on behalf of the FSM. The FSM's position is that the distribution policy and other future compact trust fund-related issues should be discussed as part of future negotiations between the FSM and the United States. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the FSM compact trust fund committee and of the FSM Joint Economic Management Committee, works with other members of the committees to develop the fiscal procedures required by the compact trust fund agreement. (Recommendation 2)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that discussions among the trust fund committees and others were ongoing and the fiscal procedures applicable to the trust fund disbursements will be determined prior to October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the FSM trust fund committee's September 2019 meeting. At the meeting, the trust fund adviser presented a presentation to the committee that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement. However, the FSM compact trust fund committee did not make any decisions regarding steps to address our recommendations. At the meeting, an FSM representative on the FSM compact trust fund committee stated that the FSM's position is that future compact trust fund-related issues should be discussed as part of future negotiations between the FSM and the United States. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the FSM compact trust fund committee, works with other members of the committee to address the timing of the calculation of compact trust fund disbursements. (Recommendation 3)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that the trust fund committees have been discussing options for ensuring that the timing of the calculation of compact trust fund disbursements align with the budget process of the FSM and that, of the options reviewed thus far, using a multi-year rolling average was the favored option. Interior added that the final determination on the timing of the calculation of the trust fund disbursements will be addressed in the distribution policy. Interior set a target date for implementation of the recommendation to develop a distribution policy of October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the FSM trust fund committee's September 2019 meeting. At the meeting, the trust fund adviser presented a presentation to the committee that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement. However, the FSM compact trust fund committee did not make any decisions regarding steps to address our recommendations. At the meeting, an FSM representative on the FSM compact trust fund committee stated that the FSM's position is that future compact trust fund-related issues should be discussed as part of future negotiations between the FSM and the United States. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the RMI compact trust fund committee, works with other members of the committee to develop a distribution policy for the RMI compact trust fund, as required by the compact trust fund agreement, that takes into account potential strategies that could address risks to the fund's ability to provide a source of income after fiscal year 2023. (Recommendation 4)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and set a target date for implementation of October 1, 2023. In July 2018, Interior stated that the trust fund committees were in discussions related to identifying the parameters and principles for a distribution policy and formula(s) to calculate the distribution prior to preparing the text of a distribution policy, and that representatives from Interior and the State Department would discuss our recommendations with the trust fund committees. According to the Trust Fund Administrator and Interior, the distribution policy was discussed at subsequent trust fund committee meetings, and trust fund representatives met with RMI representatives in January 2019 to discuss the status of the trust fund and future scenarios for its management. GAO observed the RMI trust fund committee's September 2019 meeting. At the meeting, the committee received written information from the trust fund adviser that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement, but the scheduled adviser presentation did not occur. At the meeting, an RMI representative on the RMI compact trust fund committee stated that the RMI government has determined that using the original distribution structure, with disbursements in the amount of annual grant assistance and full adjustment for inflation, remains the RMI's position. In addition, any adjustments to the distribution policy and trust fund structure will be made as a result of government to government negotiation. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the RMI compact trust fund committee and of the RMI Joint Economic Management and Financial Accountability Committee, works with other members of the committees to develop the fiscal procedures required by the compact trust fund agreement. (Recommendation 5)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that discussions among the trust fund committees and others were ongoing and the fiscal procedures applicable to the trust fund disbursements will be determined prior to October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the RMI trust fund committee's September 2019 meeting. At the meeting, the committee received written information from the trust fund adviser that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement, but the scheduled adviser presentation did not occur. At the meeting, an RMI representative on the RMI compact trust fund committee stated that any adjustments to the distribution policy and trust fund structure will be made as a result of government to government negotiation. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the RMI compact trust fund committee, works with other members of the committee to address the timing of the calculation of compact trust fund disbursements. (Recommendation 6)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that the trust fund committees have been discussing options for ensuring that the timing of the calculation of compact trust fund disbursements align with the budget process of the RMI and that, of the options reviewed thus far, using a multi-year rolling average was the favored option. Interior added that the final determination on the timing of the calculation of the trust fund disbursements will be addressed in the distribution policy. Interior set a target date for implementation of the recommendation to develop a distribution policy of October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the RMI trust fund committee's September 2019 meeting. At the meeting, the committee received written information from the trust fund adviser that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement, but the scheduled adviser presentation did not occur. At the meeting, an RMI representative on the RMI compact trust fund committee stated that any adjustments to the distribution policy and trust fund structure will be made as a result of government to government negotiation. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials, based on IRS's research and determination, design and implement the corrective actions necessary to reasonably assure that IRS effectively resolves and records unpostable transactions in a timely manner, including establishing clearly defined time frames in the Internal Revenue Manual (IRM) by which the IRS operating divisions should correct unpostable transactions and appropriate related oversight and review processes. (Recommendation 18-02)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. As of September 30, 2019, three of the four operating divisions involved in this recommendation designed and implemented the corrective actions necessary to reasonably assure that IRS effectively resolved and recorded unpostable transactions in a timely manner. In March 2019, one operating division determined that based on the research performed, no actions needed to be taken by the operating division to effectively resolve and record unpostable transactions in a timely manner. We will continue to evaluate IRS's actions to address this recommendation during our audit of IRS's fiscal year 2020 financial statements.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the Submission Processing internal control review. These policies should include or be accompanied by procedures to (1) assess and update the review questions and cited IRM criteria to reasonably assure they align with the controls under review; (2) periodically evaluate and document a review of the error threshold methodology to assess its current validity based on changes to the operating environment; (3) report findings identified in the Findings and Corrective Actions Report; and (4) assess and monitor (a) safeguarding internal control activities across all work shifts, particularly during peak seasons, (b) safeguarding internal control activities for the appropriate use and destruction of hard copy taxpayer information, and (c) the results of relevant functional level reviews. (Recommendation 18-03)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During fiscal year 2019, IRS developed policies in the Internal Revenue Manual (IRM) for conducting and monitoring the Submission Processing internal control review. Specifically, the IRM addresses the (1) designated roles and responsibilities among IRS business units for ensuring the review questions and associated criteria are assessed and updated to align with internal controls under review; (2) requirements for periodically evaluating the error threshold methodology used in the review; (3) procedures for the review to assess and monitor (a) internal control activities across work shifts and (b) internal control activities for appropriate use and destruction of hard-copy taxpayer information. However, the IRM did not include requirements for reporting findings identified during all components of the internal control review and for assessing and monitoring results of relevant functional level reviews. Since IRS developed the relevant IRM policies and procedures after we had already performed our fiscal year 2019 internal control testing, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the Audit Management Checklist review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review; (2) clarify the minimum requirements for how frequently the review should be completed at its various facilities while considering factors that may affect the most appropriate timing of these reviews, such as changes in personnel, operational processes, or information technology; and (3) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. (Recommendation 18-04)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS notified stakeholders of the added procedures to the Internal Revenue Manual (IRM) for (1) conducting the Audit Management Checklist reviews, including how frequently the reviews should be completed; (2) developing corrective actions for deficiencies; and (3) tracking the status of the corrective actions until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the All Events History Report review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review and (2) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. (Recommendation 18-05)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS notified stakeholders of the added procedures to the Internal Revenue Manual (IRM) for conducting the All Events History Report reviews, including developing and monitoring corrective actions for deficiencies until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Secretary of Veterans Affairs should clearly articulate in VA's appeals plan how VA will monitor and assess the new appeals process compared to the legacy process, including specifying a balanced set of goals and measures--such as timeliness goals for all VBA appeals options and Board dockets, and measures of accuracy, veteran satisfaction, and cost--and related baseline data. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: VA concurred with this recommendation and, as of March 2020, addressed some but not all aspects of it. Regarding monitoring, VA has made progress in monitoring and addressing workload changes in its new and legacy appeals processes. For example, VA has developed sensitivity models and other analyses to monitor and forecast future VBA and Board workloads, production, and staffing requirements to help VA manage the new and legacy appeals processes. Further, the Board is aiming to complete non-remanded legacy appeals by December 2022 by first addressing hearing-requested appeals. However, VBA and the Board have yet to specify a complete set of balanced goals for monitoring the new and legacy appeals processes (e.g., timely and accurate processing of appeals while ensuring veteran satisfaction). For example, the Board will not establish timeliness goals for all new Board options until after collecting additional data during implementation of the new appeals process, thus delaying VA's vision for what successful implementation should look like and hindering awareness of resources required to achieve that vision. Regarding comparing the performance of the new and legacy appeals processes, VA officials have previously reported that they intend to use timeliness and productivity metrics from section 5 of the Appeals Modernization Act. Further, VBA and Board officials have articulated steps they are taking to collect, through surveys, comparable information on veterans' satisfaction with the new and legacy appeals processes. However, VA has not fully articulated detailed steps and timeframes for assessing the relative performance of the new and legacy appeals processes. For example, VA has not indicated how it will assess whether or the extent to which the new process, which also allows for multiple appeal opportunities, will achieve final resolution of veterans' appeals sooner, on average, than the legacy process, as we recommended in GAO-17-234. We will consider closing this recommendation when VA provides documentation indicating how it will assess the new appeals process against the legacy process vis a vis balanced measures.

Recommendation: The Secretary of Veterans Affairs should augment the master schedule for VA's appeals plan to reflect all activities--such as modifications to information technology (IT) systems--as well as assigned responsibilities, interdependencies, start and end dates for key activities for each workgroup, and resources, to establish accountability and reduce overall risk of implementation failures. (Recommendation 3)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with this recommendation. Since our report was issued, VA took significant action on its project plan and in February 2019, implemented the Veterans Appeals Improvement and Modernization Act of 2017. VA provided increasingly more details in updates to its plan about sub-activities related to processing legacy appeals, monitoring implementation, drafting Board policies, training, and testing of the new process. For example, VA added activities related to the Rapid Appeals Modernization Program (RAMP) test of the VBA-only options as well as the test of the new Board options. In spring and summer 2018, according to VA officials, VA set a baseline schedule for implementing appeals reform in response to the potential February 2019 implementation date established in the Act. In October 2018, VA provided us with lower-level schedules and other related information that allowed us to conduct a more detailed assessment of VA's IMS against applicable best practices criteria. However, as of December 2018, VA's schedule did not fully align with best practices. For example, VA's schedule did not contain a work breakdown structure that defines the work, activities, and resources necessary to accomplish implementation-details that would inform resources and time needed for the project. (For details on this assessment, see GAO-19-272T.) While VA fully implemented appeals reform in February 2019, incorporating such lessons learned into future project planning could help VA improve its project scheduling capabilities. Specifically, in February 2020 VA reported that Caseflow-VA's replacement system intended to support appeals reform-had "minimal functionality," with many functionalities yet to be implemented. We will consider closing this recommendation when VA has produced a more complete plan for-and that establishes accountability and reduces risk of failure related to-developing, implementing, and integrating remaining key functionality envisioned under Caseflow. We will also continue tracking whether the Board addresses long-term Caseflow planning under recommendation 2 in GAO-17-234.

Recommendation: The Secretary of Veterans Affairs should ensure that the appeals plan more fully addresses risk associated with appeals reform--for example, by assessing risks against a balanced set of goals and measures, articulating success criteria and an assessment plan for RAMP, and testing or conducting sensitivity analyses of all appeals options--prior to fully implementing the new appeals process. (Recommendation 4)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation to more fully address risks associated with implementing a new appeals process. As of March 2020, VA has taken many steps to address our recommendation, although key steps are remaining for VA to better assess risks associated with implementing appeals reform and managing appeals workloads in the legacy process. Specifically, since May 2018, VBA and Board officials reported developing and using new sensitivity analyses that would allow the agency to project potential budget needs and staffing requirements. Further, VBA is using these analyses to more accurately predict resolution of legacy appeals given certain assumptions. Furthermore, in addition to testing two appeal options available within VBA through its Rapid Appeals Modernization Program (RAMP), VA conducted small-scale testing of the three new Board appeals options through the Board's Early Applicability of Appeals Modernization (BEAAM) pilot, testing that was missing from VA's original November 2017 plan. VA also reported using lessons learned from testing all appeals options to update the implementation process. However, as designed, RAMP and BEAAM lacked well-defined, measurable criteria for assessing lessons learned from its testing, and the agency did not fully test all aspects of the appeals options before moving to full implementation in February 2019. Even though VA has fully implemented the new disability appeals process without addressing these aspects of our recommendation, many of the other principles of sound planning practices that informed our recommendation remain relevant, even after implementation, to ensure the new process meets veterans' needs. Specifically, VA has not developed mitigation strategies for all identified risks, such as veterans appealing to the Board at higher rates than expected or choosing more resource-intensive Board options, such as those involving new evidence or a hearing. As of January 2020, the more resource-intensive hearing option accounted for over 50 percent of new appeals inventory. At the same time, the Board reported it plans to prioritize resources on reducing the legacy appeals inventory and on the least resource intensive appeal option for which it established a timeliness goal. Although the Board has increased productivity, addressing legacy hearings will take several years as veterans may continue choosing the new hearing option at high rates and the Board prioritizes other workloads. This circumstance could subject veterans to longer wait times and increasing backlogs under the hearing option. As of March 2020, VA also has not established a complete and balanced set of goals and measures for the new appeals options, which are a necessary pre-condition to effectively assessing risk. Lacking a complete set of goals and measures, VA may not have comprehensively identified key risks.

Recommendation: The Director of the Consumer Financial Protection Bureau should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 5)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In a May 2018 letter, the Acting Director of the Bureau stated that the Bureau has previously issued principles that include reasonable and practical means for consumers to dispute and resolve instances of unauthorized payments conducted in connection with or as a result of authorized or unauthorized data sharing access. The letter notes that the Bureau is committed to monitoring developments in data aggregation markets and will continue to assess how the Bureau's consumer protection principles may be best realized, including engaging in discussions with other relevant federal and state financial regulators. In October 2018, Bureau staff advised us that they made a presentation on existing consumer protections that would appear to be applicable to consumers using data aggregators at the June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, and the National Credit Union Administration. They noted they are monitoring private sector efforts related to resolving data aggregation issues and that additional discussions among the regulators about these issues will be held in the future. We will recontact the agency in the future to obtain information on additional actions it has taken. In January 2020, GAO met with CFPB to discuss the recommendation and potential outcomes that could close the recommendation. CFPB officials stated that they will be hosting a public forum on data aggregation in February 2020. They noted that results from the public forum could include action related to the data aggregation recommendation.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 6)

Agency: Federal Reserve System: Board of Governors
Status: Open
Priority recommendation

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of working together to determine how best to encourage socially beneficial innovation in the marketplace, while ensuring that consumers' interests are protected. The letter noted that the Federal Reserve staff have been meeting with other regulators and industry participants. The Chair states that the Federal Reserve will continue to facilitate and engage in collaborative discussions with other relevant financial regulators in these and other settings to help market participants address the important issues surrounding reimbursement for consumers who use financial account aggregators and experience unauthorized transactions. In October 2018, Federal Reserve staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau. They noted that they are monitoring private sector efforts related to resolving data aggregation issues and expect to hold additional discussions among the regulators about these issues in the future. In March 2019, the agency noted that it continues to collaborate on this issue. As of February 2020, the agency had no further updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Federal Deposit Insurance Corporation should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 7)

Agency: Federal Deposit Insurance Corporation
Status: Open
Priority recommendation

Comments: In November 2018, FDIC staff confirmed that they have engaged in collaborative discussions with other relevant financial regulators regarding issues related to consumers' use of account aggregation services and associated liability issues. We followed up in April 2019 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation.

Recommendation: The Chairman of the National Credit Union Administration should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 8)

Agency: National Credit Union Administration
Status: Open

Comments: In July 2018, NCUA staff indicated that staff from their agency had recently participated in a discussion forum with other federal regulators and other stakeholders on fintech, and, in particular, account aggregation challenges. They stated that they intend to continue to engage other regulators and related industry stakeholders on fintech topics and emerging technology that can have an impact on credit unions and their consumers. In October 2018, NCUA staff advised us that they have been discussing issues related to data aggregation at meetings of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. In November 2019, NCUA staff said that the agency continues to participate in meetings through the Fintech Interagency Discussion Group and had taken part in a Data Symposium held by the San Francisco Federal Reserve. We plan to follow up with NCUA staff to obtain updates on these efforts and resulting outcomes in the future.

Recommendation: The Comptroller of the Currency should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 9)

Agency: Department of the Treasury: Office of the Comptroller of the Currency
Status: Open

Comments: In a May 2018 letter, OCC noted that its staff have met with the other banking regulators and with market participants about account aggregation issues in the past. In October 2018, OCC staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. We followed up in January 2020 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation. We plan to follow up with OCC staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefit of establishing an office of innovation or clear contact point, including at least a website with a dedicated email address. (Recommendation 11)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that in August 2018 the agency established a working group to formally evaluate the feasibility of establishing a dedicated work unit to oversee and lead fintech and innovation efforts, including creating a website and monitoring a dedicated e-mail account. NCUA officials indicated that as of November 2019 the working group was deliberating key considerations related to establishing a dedicated work unit. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 12)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of formally increasing its knowledge base related to financial innovation. The letter noted that the Federal Reserve has recently organized two nationwide teams of experts tasked with monitoring fintech and related emerging technology trends as they relate to its supervisory and payment system mandates, respectively. These new teams include representation from all of the Federal Reserve System's Reserve Banks and have leadership from Board staff. These teams' critical objectives include ensuring that fintech-related information is shared across the Federal Reserve System and is used to inform relevant supervisory, policy, and outreach strategies. As of February 2020, the agency had no updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Commodity Futures Trading Commission should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 13)

Agency: Commodity Futures Trading Commission
Status: Open

Comments: We followed up in January 2020 and CFTC described its efforts to address this recommendation, which were encouraging. We are awaiting documentation of these efforts and when we confirm the agency's actions, we will provide updated information.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 15)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that, as of November 2019, the internal working group that the agency established in August 2018 was evaluating the feasibility and benefits of adopting certain knowledge-building initiatives related to financial innovation. Specifically, the working group was assessing initiatives such as stakeholder outreach, research and collaboration opportunities, grants and other technical assistance, and existing supervisory tools. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Office of Transit Safety and Oversight should develop and communicate a method for how it will monitor the effectiveness of the enforcement authorities and practices of state safety agencies. (Recommendation 2)

Agency: Department of Transportation: Federal Transit Administration
Status: Open
Priority recommendation

Comments: DOT concurred with this recommendation. DOT should continue its progress to developing and communicating a methodology for how it will monitor the effectiveness of state safety agencies' enforcement.

Recommendation: The Commissioner of FDA should develop a timeline for updating the risk assessment on arsenic in rice. (Recommendation 1)

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: As of August 2020, FDA stated that it will update the risk assessment when more scientific evidence becomes available. In the meantime, FDA noted that it will continue to monitor research in this area, including ongoing work by the National Academies of Sciences (NAS) Board on Environmental Studies and Toxicology, which is currently reviewing EPA's work on inorganic arsenic, specifically on EPA's IRIS Toxicological Assessments of Inorganic Arsenic. GAO will assess whether FDA has taken action responsive to the recommendation when additional information becomes available.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment revises its guidance on privatized military housing to include a requirement that the military departments incorporate measures of future sustainment into their assessments of privatized housing projects. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that it was working with the military departments to determine appropriate measures of future sustainment and would revise its guidance to require the military departments to incorporate measures of future sustainment into their assessments of privatized housing projects. In May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that DOD anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment takes steps to resume issuing required reports to Congress on the financial condition of privatized housing in a timely manner. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report and stated that it was working to further streamline the reporting format and data collection process to ensure more timely reporting to Congress. Subsequently, in September 2018 DOD issued its report to Congress on the financial condition of privatized housing covering fiscal years 2015 and 2016, and in May 2019 DOD issued the report covering fiscal year 2017. An official from the Office of the Assistant Secretary of Defense for Sustainment noted in May 2019 that the next report will cover updated reporting requirements from the National Defense Authorization Act for Fiscal Year 2019. The official said that DOD was in the process of reviewing its schedule to determine when it will be able to submit the report covering fiscal year 2018, with the expectation that the submission will be made in December 2019 or no later than March 2020. The official added that collection, reconciliation, and coordination of the information in the report remains the biggest challenge to timely submittal, as well as other privatized housing-related work requirements. Because it is unclear whether future reports reflecting the updated reporting requirements will be submitted in a timely manner, we will continue to monitor DOD's response to this recommendation.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment reports financial information on future sustainment of each privatized housing project in its reports to Congress. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report and stated that it would ensure that financial information on future sustainment of each privatized housing project would be included in the report to Congress on privatized housing covering fiscal year 2017. However, the report covering fiscal year 2017 was issued in May 2019 and did not include financial information on the future sustainment of each privatized housing project. We will continue to monitor any actions DOD takes to implement this recommendation.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment provides guidance directing the military departments to assess the significance of the specific risks to individual privatized housing projects resulting from the reductions in the basic allowance for housing and identify courses of action to respond to any risks based on their significance. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that it would issue guidance to the military departments to annually report on their assessment of the specific risk of changes in the basic allowance for housing to individual privatized housing projects and identify any courses of action to respond to the risks based on their significance. In May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that DOD anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment finalizes guidance in a timely manner that clearly defines the circumstances in which the military departments should provide notification of project changes and which types of project changes require prior notification or prior approval. (Recommendation 7)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that DOD has coordinated draft guidance with the military departments which it expected to issue in fiscal year 2018. However, in May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that the guidance has been delayed due to other pressing requirements and DOD now anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment revises its guidance on privatized military housing to require the military departments to define their risk tolerances regarding the future sustainability of their privatized housing projects. (Recommendation 8)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that it would revise its privatized housing guidance to require the military departments to define their risk tolerances regarding future sustainability of privatized housing projects. In May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that DOD anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Commissioner of FDA should ensure that the FVM Program develops performance measures with associated targets and time frames for all eight of FDA's food safety- and nutrition-related objectives. (Recommendation 2)

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: As of August 2020, FDA had not fully implemented our recommendation, although the agency reported taking several steps. For example, FDA stated that implementation of Food Safety Modernization Act (FSMA) based preventive controls standards is a top priority for the agency and a key component of the Foods and Veterinary Medicine Program's strategic plan, and for this reason, FSMA-related performance metrics have been prioritized. In addition, FDA reported that in September 2019, the agency published an online Food Safety Dashboard, whose purpose is to measure the progress of each of the FSMA rules, and FDA provides regular updates to the dashboard to promote transparency to the public. FDA also stated that as of June 2020, the dashboard contains measures related to Preventive Controls and Current Good Manufacturing Practice Rules and Imported Food Safety Program, and it includes data for human and animal food and, in some cases, data starting in FY 2017. FDA added that since the FSMA rules have staggered compliance dates, the measures associated with the rules are developed in phases, and over time, the Food Safety Dashboard will be populated with additional data to show more FSMA-related outcomes. However, the recommendation is not fully implemented since our recommendation included the related objectives within the Foods and Veterinary Medicine Program's strategic plan. In August 2020, FDA told us that given the agency's 2018 reorganization, FDA has aligned the performance measures and dashboard with the FSMA rules, and the current alignment covers most of the food safety objectives within the strategic plan. FDA also reported that it is reviewing the strategic plan to ensure alignment with FDA's current priorities and structure, including the recently released New Era of Smarter Food Safety Blueprint. We will follow up with FDA and provide an update in FY 2021.

Recommendation: The FAA Administrator should fulfill the CSLCA mandate to include ensuring a balance of risk between the federal government and launch companies as part of FAA's MPL methodology evaluation by reexamining the current probability thresholds. (Recommendation 1)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: In March 2020 Department of Transportation (DOT) officials stated that FAA had not yet finished reexamining the current maximum probable loss (MPL) probability thresholds or completed a subsequent rulemaking to address the probability thresholds. The officials also stated that FAA's focus for the prior two years has been on streamlining the launch and reentry license regulations (SLR2) rulemaking in response to the President's Space Policy Directive 2, which contains the National Space Council's recommendations for commercial space regulatory reform. According to the officials, this effort will continue through 2020, and that after it is completed, FAA will evaluate whether to begin a new rulemaking to address MPL analyses.

Recommendation: The FAA Administrator should fulfill the CSLCA mandate to analyze the cost impact of implementing its revised MPL methodology by evaluating the impact on the direct costs of launch companies and the federal government. (Recommendation 2)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: In March 2020, Department of Transportation (DOT) officials stated that FAA had not yet finished reexamining the current maximum probable loss (MPL) probability thresholds or completed a subsequent rulemaking to address the probability thresholds. The officials also stated that FAA's focus for the prior two years has been on streamlining the launch and reentry license regulations (SLR2) rulemaking in response to the President's Space Policy Directive 2, which contains the National Space Council's recommendations for commercial space regulatory reform. According to the officials, this effort will continue through 2020, and that after it is completed, FAA will evaluate whether to begin a new rulemaking to address MPL analyses.

Recommendation: The FAA Administrator should fulfill the CSLCA mandate to evaluate its MPL methodology in consultation with the commercial space sector and insurance providers by consulting with those entities on the cost impact of its revised MPL methodology, including an updated cost-of-casualty amount, on the launch industry and the federal government. (Recommendation 3)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: In March 2020, Department of Transportation (DOT) officials stated that FAA had not yet finished reexamining the current maximum probable loss (MPL) probability thresholds or completed a subsequent rulemaking to address the probability thresholds. The officials also stated that FAA's focus for the prior two years has been on streamlining the launch and reentry license regulations (SLR2) rulemaking in response to the President's Space Policy Directive 2, which contains the National Space Council's recommendations for commercial space regulatory reform. According to the officials, this effort will continue through 2020, and that after it is completed, FAA will evaluate whether to begin a new rulemaking to address MPL analyses.

Recommendation: The FAA Administrator should establish an estimated completion date for developing and implementing a plan to establish guidance on the most appropriate MPL methodologies and tools to use for each launch. (Recommendation 4)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: In March 2020, Department of Transportation (DOT) officials stated that FAA had not yet finished reexamining the current maximum probable loss (MPL) probability thresholds or completed a subsequent rulemaking to address the probability thresholds. The officials also stated that FAA's focus for the prior two years has been on streamlining the launch and reentry license regulations (SLR2) rulemaking in response to the President's Space Policy Directive 2, which contains the National Space Council's recommendations for commercial space regulatory reform. According to the officials, this effort will continue through 2020, and that after it is completed, FAA will evaluate whether to begin a new rulemaking to address MPL analyses.

Recommendation: The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it was in the process of working with the lnteragency Security Committee (ISC) to update its vulnerability assessment program, with a target completion date of January 2019. Despite multiple attempts, as of June 2020, VA has not provided any information on its progress in updating its program.

Recommendation: The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it had identified OS&LE as the internal entity responsible for conducting a complete review of VA's current risk management policies and processes for VA facilities and that it was reviewing an ISC-certified risk assessment tool for possible implementation consideration. Despite multiple attempts, as of June 2020, VA had not provided an update on its efforts to implement this recommendation.

Recommendation: The Administrator of CMS should provide fraud-awareness training relevant to risks facing CMS programs and require new hires to undergo such training and all employees to undergo training on a recurring basis. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: The agency agreed with this recommendation. In July 2018, CMS reported that it is strengthening its efforts to ingrain fraud risk management principles throughout the Agency and is developing a training video, module, and curriculum to train staff agency-wide on fraud risks. In November 2019, CMS provided fraud-awareness training videos for new and current CMS employees. GAO requested and is awaiting documentation to show mandatory nature and annual frequency of the training in order to assess the extent to which the training is consistent with leading practices in fraud risk management.

Recommendation: The Administrator of CMS should conduct fraud risk assessments for Medicare and Medicaid to include respective fraud risk profiles and plans for regularly updating the assessments and profiles. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: Agency agreed with this recommendation. In July 2018, CMS reported that it has initiated the fraud risk assessment for some programs in Medicare, including the Medicare Diabetes Prevention Program expanded model. CMS also reported that it is also continuing to draft fraud risk profiles for the Comprehensive End-Stage Renal Disease (ESRD) Care model, the Comprehensive Primary Care Plus model, the permanent Medicare Shared Savings Program, and the new Medicare Beneficiary Identifier. Additionally, CMS reported that it is assessing the Quality Payment Program, established by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), utilizing the GAO fraud risk assessment framework. We will continue to monitor CMS's progress in this area. In November 2019, CMS provided a diagram depicting CMS approach to assessing fraud risks and a document for Home Health Request for Anticipated Payment, stating that fraud risk assessments on Medicare Diabetes Prevention Program and Quality Payment Program are under development. We requested and are awaiting additional information on CMS's approach and plans for conducting fraud risk assessments in Medicare programs, including the reasoning for program selection, overall order, and anticipated timeframes.

Recommendation: The Administrator of CMS should, using the results of the fraud risk assessments for Medicare and Medicaid, create, document, implement, and communicate an antifraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation. (Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: Agency agreed with this recommendation. In November 2019, CMS reported on activities to conduct fraud risk assessments in Medicare programs (see Recommendation 2), however this work is ongoing and the recommendation remains open. Because completion of a fraud risk assessment is necessary before developing an antifraud strategy, this recommendation also remains open. We will continue to monitor CMS's progress in this area.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to establish and document a procedure for the destruction of records contained in electronic systems in accordance with approved disposition schedules. (Recommendation 1)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure staff receive records management training annually. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to conduct the triennial assessment of the FSA records management program. (Recommendation 3)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that privacy impact assessments address all required elements. (Recommendation 4)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that information security-related policies and procedures are reviewed at least annually, in accordance with FSA policy; updated as needed; and approved by security officials. (Recommendation 5)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should update its regulation to include protections of personal information as an element of a school's ability to demonstrate its administrative capability. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Defense, in conjunction with the Chairman of the Joint Chiefs of Staff, should assess the risks to accomplishing both of the GRF's uses: that is, its use as an augmentation capability available as needed to individual geographic combatant commands; and its use as a tailorable joint force available for rapid response to a specific threat. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. As of August 2019, DOD has not implemented this recommendation and stated that DOD is developing its Dynamic Force Employment (DFE) concept, which will have a direct impact on the mission, construct, command relationships, and training of the Department's Global Response Force. DOD has not specified when the implementation of the DFE will be complete.

Recommendation: The Secretary of Defense, in conjunction with the Chairman of the Joint Chiefs of Staff, should, as appropriate following the assessment of risk, design responses, such as further defining and prioritizing the GRF's intended uses and missions, to mitigate any identified risks. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. As of August 2019, DOD has not implemented this recommendation and stated that DOD is developing its Dynamic Force Employment concept, which will have a direct impact on the mission, construct, command relationships, and training of the Department's Global Response Force. DOD has not specified when the implementation of the DFE will be complete.

Recommendation: The Secretary of Defense, in conjunction with the Chairman of the Joint Chiefs of Staff, should designate an authority to establish and enforce integrated joint training for GRF-assigned units, as appropriate. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. As of August 2019, DOD has not implemented this recommendation and stated that DOD is developing its Dynamic Force Employment concept, which will have a direct impact on the mission, construct, command relationships, and training of the Department's Global Response Force. DOD has not specified when the implementation of the DFE will be complete.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The U.S. Customs and Border Protection issued an updated Physical Security Policy and Procedures Handbook in January 2020, which includes a series of internal controls and physical security performance measures. We have reviewed the handbook and requested additional information from CBP to determine whether it meets ISC's Risk Management Process for Federal Facilities.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) has developed, initially tested, and deployed a risk assessment methodology that aligns with the Interagency Security Committee Risk Management Process for Federal Facilities. In August and September of 2019, FAA trained some staff on the new methodology, which is being integrated into the facility security reporting system. After resolving any software compatibility issues, completing all necessary testing and training, and issuing the associated security policy, FAA expects to fully implement the methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) drafted an updated facility security policy and distributed it for comment in October 2019. It received over 300 comments that are currently being addressed. Once completed, the policy is to incorporate a methodology that fully aligns with the Interagency Security Committee Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. FAA plans to publish the new policy to coincide with the implementation of its risk-assessment methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration's (FAA) update of its facility security policy and its associated databases should help to improve the monitoring and use of physical security information to better assist with risk assessment decision-making. In February 2020, FAA officials said that its facility security reporting system is to be improved with new metrics and executive level reporting. Such improvements are to result in increased program oversight, risk awareness, and mitigation planning. These improvements are to be completed by December 31, 2020 to coincide with full implementation of the components of the risk management framework, such as the risk assessment methodology, personnel training, and policy publication.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture is drafting a revised physical-security regulation and manual that is to align with risk management processes, including a tracking and monitoring component. It expects to implement a revised process by the end of 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture (USDA) recognizes the need to develop and implement a database to track and monitor physical security assessment schedules across all of its components. As a result, USDA plans to request funding in the President's Budget for fiscal year 2021 to design and build such a database. If sufficient funding is secured and development efforts go as planned, the agency anticipates having the database operational by the end of 2021.

Recommendation: To improve technical expertise and overcome fragmentation, the CDC director of the Select Agent Program should work with APHIS to develop a joint workforce plan that assesses workforce and training needs for the program as a whole. This assessment should be done in conjunction with the development of the strategic plan. (Recommendation 10)

Agency: Department of Health and Human Services: Public Health Service: Centers for Disease Control and Prevention
Status: Open

Comments: CDC agreed with this October 2017 recommendation and, as of January 2020, CDC and APHIS were in the process of finalizing a joint workforce assessment focusing primarily on inspections, according to officials from the Select Agent Program. However, this joint assessment does not account for other aspects of the program, such as training, which was part of GAO's recommendation. According to Select Agent Program officials, the program is developing a new information system and officials plan to conduct a follow-up workload assessment once this new system is fully implemented, as they anticipate that the program will gain efficiencies once this new system is in place. Officials from the Select Agent Program said they did not have a definitive timeframe as to when the new system would be in place and a new workload assessment could be completed but, as of December 2019, they said it would be several years. Once the updated workforce assessment is completed, GAO will review it to determine if it fulfills the recommendation. Developing a joint workforce plan as recommended would help the program to better manage fragmentation by improving how it leverages resources, which in turn would help to ensure that all workforce and training needs are met.

Recommendation: To improve technical expertise and overcome fragmentation, the APHIS director of the Select Agent Program should work with CDC to develop a joint workforce plan that assesses workforce and training needs for the program as a whole. This assessment should be done in conjunction with the development of the strategic plan. (Recommendation 11)

Agency: Department of Agriculture: Animal and Plant Health Inspection Service
Status: Open

Comments: APHIS agreed with this October 2017 recommendation and, as of January 2020, CDC and APHIS were in the process of finalizing a joint workforce assessment focusing primarily on inspections, according to officials from the Select Agent Program. However, this joint assessment does not account for other aspects of the program, such as training, which was part of GAO's recommendation. According to Select Agent Program officials, the program is developing a new information system and officials plan to conduct a follow-up workload assessment once this new system is fully implemented, as they anticipate that the program will gain efficiencies once this new system is in place. Officials from the Select Agent Program said they did not have a definitive timeframe as to when the new system would be in place and a new workload assessment could be completed but, as of December 2019, they said it would be several years. Once the updated workforce assessment is completed, GAO will review it to determine if it fulfills the recommendation. Developing a joint workforce plan as recommended would help the program to better manage fragmentation by improving how it leverages resources, which in turn would help to ensure that all workforce and training needs are met.

Recommendation: The appropriate entities within the Executive Office of the President, including the Council on Environmental Quality, Office and Management and Budget, and Office of Science and Technology Policy, should use information on the potential economic effects of climate change to help identify significant climate risks facing the federal government and craft appropriate federal responses. Such responses could include establishing a strategy to identify, prioritize, and guide federal investments to enhance resilience against future disasters. (Recommendation 1)

Agency: Executive Office of the President
Status: Open

Comments: As of July 14, 2020, the Executive Office of the President has yet to take action on this recommendation.

Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.

Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.

Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

Agency: National Gallery of Art
Status: Open

Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. In February 2019, the National Gallery approved the Office of Protection Services' 5-year strategic plan, which included goals for security. However, as of June 2020, work to establish performance measures was not yet complete. We will continue to monitor the National Gallery's progress in implementing this recommendation

Recommendation: To help ensure DOD takes a strategic approach for its prototyping and innovation initiatives and overcomes funding and cultural barriers, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering to develop a high-level DOD-wide strategy, in collaboration with the military services and other appropriate DOD components, to communicate strategic goals and priorities and delineate roles and responsibilities among DOD's prototyping and innovation initiatives.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation, but its progress on addressing it has stalled. In November 2019, DOD's Prototyping Guidebook indicated that the department was developing policy and strategy documents pertaining to prototyping. As part of this effort, the Office of the Undersecretary of Defense for Research and Engineering was drafting a broad DOD Research and Engineering strategy that would include strategies pertaining to prototyping and innovation and address this recommendation. As of August 2020, DOD had not published this strategy.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

Agency: Department of Homeland Security
Status: Open

Comments: In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Recommendation: To allow DOE management to effectively monitor invoice reviews and have assurance that this control activity is operating as intended, the Secretary of Energy should establish a DOE-wide invoice review policy that includes requirements for sites to establish well-documented invoice review operating procedures.

Agency: Department of Energy
Status: Open

Comments: In its comments on a draft of the report in March 2017, DOE concurred in principle with this recommendation, stating that it already had an established, detailed DOE-wide invoice review policy provided in DOE's Financial Management Handbook and in the DOE Acquisition Guide. In February 2020, DOE issued an update to its Financial Management Handbook that included additional procedures to address intra-governmental payment and collection transactions. However, neither the prior version of the Financial Management Handbook nor the additional information includes invoice review procedures. The Financial Management Handbook refers users to the DOE Acquisition Guide for procedures for invoice review. However, the Acquisition Guide states that it is intended to offer general guiding principles for approving officials to consider when reviewing and analyzing cost elements included in contract invoices--as opposed to detailed procedures for invoice review--and does not require sites to establish well-documented invoice review operating procedures, as we recommended.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including creating a structure with a dedicated entity within DOE to design and oversee fraud risk management activities.

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: In its comments on a draft of the report in March 2017, DOE partially agreed with the recommendation. In its written comments on the report, DOE stated that it considered the recommendation to be closed without corrective action and that it would rely on the existing Office of Financial Policy and Internal Controls and on the DOE Office of Inspector General (OIG) to design and oversee financial fraud risk management activities. However, we disagree that relying in part on the OIG to design and oversee fraud risk management activities meets best practices because, according to GAO's Fraud Risk Framework, the dedicated entity should not include the OIG so that the OIG can maintain its independence. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE expects to establish a new group in fiscal year 2020 that will oversee DOE's fraud risk management activities. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including conducting fraud risk assessments that are tailored to each program and use the assessments to develop a fraud risk profile

Agency: Department of Energy
Status: Open

Comments: In its comments on a draft of the report in March 2017, DOE concurred with the substance of the recommendation; however they considered the recommendation to be closed without corrective action because DOE believed that its risk assessments met the requirements of the Improper Payments Elimination and Recovery Improvement Act of 2012, as reported by the Office of Inspector General (OIG), and because it has implemented updates to OMB Circular A-123 that added requirements related to managing fraud risk and adherence to GAO's Fraud Risk Framework. However, we found that DOE has not conducted fraud risk assessments that were tailored to its programs and, therefore, do not allow the department to create a fraud risk profile. We also found that, although DOE updated its internal control assessment tools with a list of fraud risks as required by OMB Circular A-123, the list of risks were the same for all DOE sites and were not tailored to the sites' different programs. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, the framework is expected to include changes to DOE's process to develop its fraud risk profile, beginning in fiscal year 2020. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including developing and documenting an antifraud strategy that describes the programs' approaches for addressing the prioritized fraud risks identified during the fraud risk assessment.

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE concurred with this recommendation but considered the recommendation closed without corrective action because DOE had implemented the updated OMB Circular A-123 and because DOE's antifraud strategy was embedded in the DOE internal control program. However, DOE officials told us that they had not developed or documented a DOE-wide antifraud strategy or directed individual programs to develop program-specific strategies. Furthermore, DOE's implementation of OMB Circular A-123 included adding a list of potential risks to their internal control assessment tool that were the same for all DOE sites and were not tailored to the sites' different programs. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to develop an antifraud strategy in fiscal year 2021. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including designing and implementing specific control activities, including fraud awareness training and data analytics, to prevent and detect fraud and other improper payments.

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE stated that it concurred in principle with the recommendation, but that it had implemented the recommendation. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to begin in fiscal year 2022 to use data analytics across the agency to prevent fraud. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help ensure that necessary data are available to employ data analytics as a tool to perform contractor cost-surveillance activities, the Secretary of Energy should require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government, including (1) cost data that, at a minimum, represent a full data population and (2) the details necessary to determine the nature of each cost transaction, with such identifiers as transaction date, dollar amount, item or service description, and transaction codes to indicate the type of cost represented (e.g., construction materials, property lease, and office supplies).

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE did not agree to implement this recommendation because officials believe that the recommendation establishes agency-specific requirements for DOE contractors that are more prescriptive than current federal requirements. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to begin in fiscal year 2022 to use data analytics across the agency to prevent fraud. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help ensure that the government is not exposed to more liability risk than intended, the Secretary of Transportation should ensure that the FAA Administrator prioritizes the development of a plan to address the identified weakness in the cost-of-casualty amount, including setting time frames for action, and update the amount based on current information.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation agreed with the recommendation. In March 2018, the Federal Aviation Administration (FAA) stated that the agency planned to conduct a rulemaking to address any updates to the cost-of-casualty amount. As part of the rulemaking, FAA planned to engage with the commercial space and insurance industries to obtain views on an appropriate cost-of-casualty amount and implications of any changes. However, in February 2019, FAA stated that it has been unable to conduct the planned rulemaking due to a competing priority that will continue through 2020. FAA has requested input from the industry on prioritizing needed rule revisions and will develop a plan for updating the cost-of-casualty amount based on the industry's prioritization recommendations. We will continue to monitor FAA's actions in response to this recommendation.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should ensure that CNCS completes its efforts to benchmark its assessment criteria and scoring process to further develop a risk-based approach to grant monitoring and that information from this effort is used to (a) score the indicators so that the riskiest grants get the highest scores; (b) revise the assessment indicators to meaningfully cover all identifiable risks, including fraud and improper payments; and (c) document decisions on how indicators are selected and weighted.

Agency: Corporation for National and Community Service
Status: Open

Comments: CNCS has been working since September 2018 to review and update its risk assessment process. The CNCS Office of Research and Evaluation has developed a methodology to determine the appropriate score and weight for the assessment indicators. It plans to fully implement the new risk assessment process in fiscal year 2020. To close this recommendation, CNCS will need to show documentation for how it selected and weighted revised indicators to cover identifiable risks, and how the revised scoring system identifies the riskiest grants.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should review monitoring protocols, including the level of information collected for oversight of subrecipients' activities such as criminal history checks, and enhance protocols, as appropriate.

Agency: Corporation for National and Community Service
Status: Open

Comments: As of July 2019, CNCS stated that revisions to the agency-wide risk assessment instrument include indicators to address prime grantee monitoring and oversight of subrecipients. CNCS established a new Office of Monitoring in 2019, which will be responsible for reviewing and improving monitoring protocols, including those related to subrecipient activities. Enhanced monitoring protocols will be implemented as part of its fiscal year 2020 monitoring plan. To help close this recommendation, CNCS will need to show how it has expanded information it collects pertaining to subrecipients, and how its monitoring efforts reflect this.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should establish activities to systematically evaluate grant monitoring results.

Agency: Corporation for National and Community Service
Status: Open

Comments: In July 2019, CNCS reported that the new Office of Monitoring supports the agency's May 2018 Transformation and Sustainability Plan goals related to monitoring and evaluating results. This office is developing a monitoring strategy to align with the agency's IT system improvements, and will allow for reporting and data to support a systematic evaluation of grant monitoring results. To help close this recommendation, CNCS will need to show how the agency has used outcomes and findings from its grant monitoring activities to help guide improvements to these activities.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should, as part of CNCS's efforts to develop an employee development program, update critical competencies for grant monitoring, and establish a training planning process linked with agency goals and these competencies.

Agency: Corporation for National and Community Service
Status: Open

Comments: As of July 2019, CNCS is in the process of realigning its grant management and monitoring functions. The agency plans to document critical competencies for grant management and monitoring roles and establish a training program to strengthen its grant monitoring performance. By December 2019, CNCS plans to implement a comprehensive orientation curriculum and a more effective onboarding procedure, updated staff support training materials, among other changes to its training efforts. To close this recommendation, CNCS will need to determine which competencies are critical for grant monitoring, and show how the competencies are linked with the agency's training planning processes and agency goals.

Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to establish a mechanism for BSEE management to obtain and incorporate input from bureau personnel and any external parties, such as Argonne, that can affect the bureau's ability to achieve its objectives.

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: In its June 9, 2017, response to our report, Interior indicated that BSEE is developing new strategies to improve trust and foster greater collaboration for consideration by the new Director. In September 2018, Interior provided documentation of several BSEE actions, including establishing an Employee Engagement Council, an Innovation Program, and Ombudsman position within the bureau. As of August 2020, BSEE indicated that these efforts remain ongoing. However, this recommendation remains open because BSEE has not yet demonstrated that these actions represent an enduring institutionalization of improved communication throughout the bureau.

Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to address leadership commitment deficiencies within BSEE, including by implementing internal management initiatives and ongoing strategic initiatives (e.g., Enterprise Risk Management and performance measure initiatives) in a timely manner.

Agency: Department of the Interior
Status: Open

Comments: In its June 2017 response to our report, Interior indicated that BSEE will incorporate lessons learned from its first enterprise risk management cycle in future cycles and that BSEE will incorporate a performance management dashboard in fiscal year 2018. In August 2019, BSEE provided documentation regarding actions it has taken to implement and institutionalize its enterprise risk management and performance measure initiatives. In August 2020, BSEE indicated that implementation of these processes remains ongoing. However, this recommendation remains open because BSEE has not yet demonstrated that these actions represent an enduring institutionalization of improved internal management initiatives and ongoing strategic initiatives throughout the bureau.

Recommendation: The Secretary of the Interior should direct the BSEE Director to address trust concerns that exist between headquarters and the field, BSEE should expand the scope of its employee engagement strategy to incorporate the need to communicate quality information throughout the bureau.

Agency: Department of the Interior
Status: Open

Comments: In its June 2017 response to our report, Interior indicated that BSEE's response to this recommendation would be incorporated into its corrective actions for recommendation one. In September 2018, Interior provided documentation of several BSEE actions, including establishing an Employee Engagement Council, an Innovation Program, and Ombudsman position within the bureau. As of August 2020, BSEE indicated that these efforts remain ongoing. However, this recommendation remains open because BSEE has not yet demonstrated that these actions represent an enduring institutionalization of expanded employee engagement throughout the bureau.

Recommendation: To enhance program oversight and provide more robust input to budget deliberations, Congress should consider requiring DOD to report on each major acquisition program's systems engineering status in the department's annual budget request, beginning with the budget requesting funds to start development. The information could be presented on a simple timeline--as done for the case studies in this report--and at a minimum should reflect the status of a program's functional and allocated baselines as contained in the most current version of the program's systems engineering plan.

Agency: Congress
Status: Open

Comments: As of August 2020, Congress has not yet taken action on the matter for consideration. The Department of Defense (DOD) non-concurred and as of March 16, 2018, DOD officials reported they had closed this recommendation because they did not agree that the systems engineering plan was the most effective means to provide Congress insight into program risk. DOD officials stated that the timing of the systems engineering plan and any updates are not aligned to inform a budget decision that could occur as much as 18 months prior to program initiation; and existing statutory certifications and reports, such as 2366a and 2366b requirements, submitted to Congress contain adequate information regarding program risk and technical maturity. GAO initiated work in 2020 to examine recent congressionally mandated changes in DOD's acquisition and requirements processes and will assess whether those changes meet the intent of this recommendation.

Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by expanding consideration of the trade-offs associated with different degrees of severity.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had initiated two projects that would allow a more efficient evaluation of multiple scenarios, including assessing trade-offs associated with different levels of scenario severity. In December 2019, Federal Reserve staff provided updates on these projects, which remain in progress. We will continue to monitor the Federal Reserve's completion and implementation of these projects and any additional actions it takes that may be responsive to our recommendation.

Recommendation: To improve understanding of the range of potential crises against which the banking system would be resilient and the outcomes that might result from different scenarios, the Federal Reserve should assess whether a single severe supervisory scenario is sufficient to inform CCAR decisions and promote the resilience of the banking system. Such an assessment could include conducting sensitivity analysis involving multiple severe supervisory scenarios--potentially using CCAR data for a cycle that is already complete, to avoid concerns about tailoring the scenario to achieve a particular outcome.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had initiated two projects that would allow a more efficient evaluation of multiple scenarios. In December 2019, Federal Reserve staff provided updates on these projects, which remain in progress. We will continue to monitor the Federal Reserve's completion and implementation of these projects and any additional actions it takes that may be responsive to our recommendation.

Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to test and document the sensitivity and uncertainty of the model system's output--the post-stress capital ratios used to make CCAR quantitative assessment determinations--including, at a minimum, the cumulative uncertainty surrounding the capital ratios and their sensitivity to key model parameters, specifications, and assumptions from across the system of models.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had previously initiated multiple projects to fully respond to our recommendation, several of which were now complete. In December 2019, Federal Reserve staff provided updates on the remaining projects, which remain in various stages of completion. We will continue to monitor the Federal Reserve's completion and implementation of these projects and, once we receive documentation demonstrating the completion of responsive actions, we will update the status of this recommendation.

Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to communicate information about the range and sources of uncertainty surrounding the post-stress capital ratio estimates to the Board during CCAR deliberations.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had previously initiated a project to fully respond to our recommendation. In December 2019, Federal Reserve staff provided updates on the project, but as of February 2020, had not provided documentation fully supporting implementation of a process consistent with our recommendation. We will continue to monitor the Federal Reserve's completion and implementation of this project, and we will update the status of this recommendation once we receive documentation demonstrating the completion of responsive actions.

Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process for the Board and senior staff to articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had previously initiated a project to fully respond to our recommendation. In December 2019, Federal Reserve staff provided updates on the project, but as of February 2020, had not provided documentation fully supporting implementation of a process consistent with our recommendation. We will continue to monitor the Federal Reserve's completion and implementation of this project, and we will update the status of this recommendation once we receive documentation demonstrating the completion of responsive actions.

Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and communicate Field Collection program and case selection objectives, including the role of fairness, in clear and measurable terms sufficient for use in internal control.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation and described actions being taken to address it. In June 2019, IRS officials told us they were beginning an initiative designed to help identify a program's objectives in relationship to the IRS Strategic Plan and that Field Collection was chosen as one of the pilot programs for this initiative. In September 2020, IRS officials provided us draft program and case selection objectives and said they expected to complete actions to implement the recommendation in Fall 2020.

Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and implement performance measures clearly linked to the Field Collection program and case selection objectives.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation and outlined planned actions to address it. In June 2019, IRS officials told us they were beginning an initiative designed to help identify a program's objectives in relationship to the IRS Strategic Plan and that Field Collection was selected as one of the pilot programs for this initiative. In September 2020, IRS officials provided us draft program and case selection objectives and said they expected to complete actions to implement the recommendation in Fall 2020.

Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should incorporate program and case selection objectives into existing risk management systems or use other approaches to identify and analyze potential risks to achieving those objectives so that Field Collection can establish risk tolerances and appropriate control procedures to address risks.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation and outlined planned actions to address it. In June 2019, IRS officials told us they were beginning an initiative designed to help identify a program's objectives in relationship to the IRS Strategic Plan and that Field Collection was selected as one of the pilot programs for this initiative. Since program and case selection objectives are necessary before appropriate risk management systems can be established, in September 2020, IRS officials said they expected to complete actions to implement program and case selection objectives in Fall 2020 but provided no anticipated completion date for actions to identify and analyze potential risks to those objectives and related risk management actions.

Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and communicate control procedures guidance for group managers to exercise professional judgment in the Field Collection program case selection process to achieve fairness and other program and collection case selection objectives.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation and described actions it will take to address it. In June 2019, IRS officials told us they are beginning an initiative designed to help identify a program's objectives in relationship to the IRS Strategic Plan. IRS selected Field Collection as one of the pilot programs for this initiative which would include actions to address this recommendation. In September 2020, IRS officials said they had revised the Internal Revenue Manual to guide group managers on elements to consider in selecting cases. We will update the status of IRS's actions to implement the recommendation after review of any documentation IRS provides.

Recommendation: To ensure that Field Collection program case selection processes support IRS's and the Collection program's mission, including applying tax laws with integrity and fairness to all, the Commissioner of Internal Revenue should develop, document, and implement procedures to periodically monitor and assess the design and operational effectiveness of both automated and manual control procedures for collection case selection to assure their continued effectiveness in achieving program objectives.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation and outlined planned actions to address it. In June 2019, IRS officials told us they are beginning an initiative designed to help identify a program's objectives in relationship to the IRS Strategic Plan. IRS selected Field Collection as one of the pilot programs for this initiative. According to IRS officials, this pilot effort is ongoing and includes consideration of how the agency will address this recommendation. In September 2020, we met with IRS officials to discuss the status of actions to implement this recommendation but no anticipated completion date was provided.

Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with the recommendation but has not yet provided sufficient evidence that it had implemented the recommendation. In particular, as of August 2020, the HHS Office for Civil Rights (OCR) has not yet reviewed the feasibility of performance measures as part of its audit program, and plans to do so only after implementing a future redesign of its audit program. We will continue to monitor HHS actions in response to this recommendation.

Recommendation: To ensure that DOE's control activities continue to be relevant and effective for managing supply chain risk, the Secretary should direct the Under Secretary for Nuclear Security, as the Administrator of the NNSA, to work with the Office of Intelligence and Counterintelligence and other DOE organizations, as appropriate, to assess the circumstances that might warrant using the enhanced procurement authority, and (1) if this assessment identifies circumstances that might warrant using the authority, the Secretary should direct the Under Secretary for Nuclear Security to work with other DOE organizations, as appropriate, to establish processes for using it and examine whether adequate resources are in place to support those processes, and (2) communicate the results of this assessment to the relevant congressional committees for their use in determining whether to extend the authority past its current termination date.

Agency: Department of Energy
Status: Open

Comments: In an October 7, 2016, letter the Under Secretary for Nuclear Security and Administrator of the National Nuclear Security Administration (NNSA) said he agreed with GAO's recommendation to assess situations that might warrant the use of the enhanced procurement authority and, should specific circumstances be identified for use of the authority, NNSA would develop a process for its use. The assessment would include an examination of resources to support use of the authority. NNSA would work with other Department of Energy organizations as appropriate in conducting the assessment. NNSA officials said they submitted the assessment to the congressional committees in March 2020. We requested a copy of the assessment and will update the status of this recommendation after we receive and review it.

Recommendation: To ensure that NNSA will provide clear information to stakeholders about the program needs that the revised CMRR project will satisfy, the Secretary should direct the Under Secretary for Nuclear Security, in his capacity as the NNSA Administrator, to update the program requirements document for the revised CMRR project to clarify whether the project will provide plutonium analysis equipment to meet the needs of DOE and NNSA programs other than those in the Office of Defense Programs.

Agency: Department of Energy
Status: Open

Comments: As of August 2020, LANL has drafted a revised PRD but NNSA's review is not yet complete. This recommendation will remain open until we can evaluate the PRD.

Recommendation: To improve risk management in the collection of AD/CV duties and to identify new or changing risks, CBP should regularly conduct a comprehensive risk analysis that assesses both the likelihood and the significance of risk factors related to AD/CV duty collection. For example, CBP could construct statistical models that explore the associations between potential risk factors and both the probability of nonpayment and the size of nonpayment when it occurs.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Priority recommendation

Comments: As of December 2019, CBP was taking steps to conduct the type of risk analysis GAO recommended in July 2016. In November 2019 we reported that according to CBP , the agency had developed and successfully tested two models using risk factors including, but not limited to, the type of good, country of origin of the good, and whether the importer is from a foreign country. One test demonstrated that, using data from fiscal years 2007-2015, CBP could have predicted over 95 percent of the importers with delinquent antidumping and countervailing (AD/CV) duty bills in fiscal years 2016 and 2017. CBP requested $17 million in fiscal year 2020 funds to make updates to its information systems necessary to facilitate the implementation of statistical models. CBP is also working on long-term enhancements to the models that it says will leverage additional modeling techniques, such as social network and spatial analysis. Regularly conducting a comprehensive risk analysis of factors related to AD/CV duty non-collection could enhance CBP's capacity to collect additional revenue by enabling CBP to increase bonding amounts for continuous entry and single-transaction bonds for importers with a greater risk of nonpayment. In a December 2019 Commercial Customs Operations Advisory Committee report, CBP said that it planned to begin rolling out a risk-based bonding framework in March 2020. The new framework relies on a bond formula that is in part based on risk factors identified by the statistical models .

Recommendation: To improve risk management in the collection of AD/CV duties, CBP should, consistent with U.S. law and international obligations, take steps to use its data and risk assessment strategically to mitigate AD/CV duty nonpayment, such as by using predictive risk analysis to identify entries that pose heightened risk and taking appropriate action to mitigate the risk.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Priority recommendation

Comments: As of December 2019, CBP was taking steps to develop a risk-based AD/CV bonding framework to use in conjunction with the development of an AD/CV risk assessment model. CBP is developing a supplemental AD/CV duty continuous entry bond that incorporates nonpayment risk factors identified in its statistical models and has worked with Commercial Customs Operations Advisory Committee (COAC) to test the proposed risk based bonding formula by applying it to historical data. CBP has estimated that the collection rate under the risk-based bonding framework using the proposed formula would have been significantly higher than the collection rate under its existing bond policies during fiscal years 2007-2017, both in number and value of the bills collected; however, COAC members said the proposed bond formula would have resulted in overinsurance, which could increase cost to importers. The use of supplemental continuous entry bonds may require regulatory changes and modifications to CBP's database. CBP has also conducted an analysis of the use of single-transaction bonds using historical data, and found that this procedure would have allowed CBP to collect significantly more revenue in fiscal years 2007-2018. CBP is working with COAC members to test a risk-based application of single-transaction bonds to historical AD/CV duty entries to assess whether the bond would have reduced the amount of uncollected duties. In a December 2019 Commercial Customs Operations Advisory Committee report, CBP said that it plans to rolls out its risk-based bonding framework in March 2020.

Recommendation: To ensure Bureau and congressional confidence that the Bureau's budgeted contingencies are at appropriate levels, the Secretary of Commerce and Under Secretary for Economic Affairs should direct the Census Bureau to improve control over how risk and uncertainty are accounted for and communicated with the Bureau's decennial cost estimation process, such as by implementing and institutionalizing processes or methods for doing so with clear guidance.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce agreed with this recommendation. Specifically, we reported that the Bureau should ensure that its budget for contingencies for the 2020 Census reflect an accurate accounting of risk and uncertainty. In doing this, the Bureau should improve controls over risk and uncertainty in the cost estimate process, and institutionalize these controls by providing clear methods for their use. In July 2018, we completed a review of documentation to support the updated October 2017 cost estimate and found that the Bureau performed uncertainty and sensitivity analysis on the estimate and appropriately added funding into the cost estimate to reflect inherent uncertainty and to account for specific risks. In order to fully implement this recommendation, the Bureau will need to link specific risks to funds set aside in the $1.2 billion general risk contingency fund. Therefore, as of January 2020, this recommendation remains valid and should be addressed: that the Bureau properly account for risk in the 2020 Census cost estimate.

Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, in addition to considering risk when determining how to divide FAMS's international flight coverage resources among international destinations, the Director of FAMS should incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover.

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: In May 2016, we found that FAMS officials considered risk when selecting specific domestic and international flights to cover, but they did not consider risk when deciding how to initially divide their annual resources between domestic and international flights. Rather, each year FAMS considered two variables--travel budget and number of air marshals--to identify the most efficient way to divide the agency's resources between domestic and international flights. As a result, we recommended that FAMS incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover. In March 2018, FAMS revised its deployment methodology to no longer set an annual target number of average daily international and domestic flights to cover. Rather, FAMS now prioritizes deploying air marshals on as many flights as possible with passengers who have been identified as potentially higher risk because they match TSA's intelligence-based screening rules, among other risk-based priorities. In August 2020, FAMS officials explained that they were evaluating their concept of operations and planned to more fully develop a risk basis for dividing its resources between international and domestic flights. By doing so, FAMS could better ensure it is targeting its limited resources to the highest risk flights and better aligning with FAMS's stated goal of using risk-based decisions to guide mission operations. As a result, this recommendation remains open.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Administrator of the Food Safety and Inspection Service to develop agency policies that contain these requirements.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, the United States Department of Agriculture (USDA) stated that its Joint Committee on Biorisk Management Policy (JCBMP) would oversee the revisions of existing policies to include department-wide incident reporting requirements and time frames. As of July 2020, USDA estimated that these revisions should be completed by October 2020. Officials stated that updates to component agency policies would be completed shortly after issuance of the departmental policy. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should review and update outdated department policies for managing hazardous biological agents in high-containment laboratories and direct the Administrators of the Animal and Plant Health Inspection Service (APHIS) and Agricultural Research Service to update their policies and, in the case of APHIS, establish a regular review schedule.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee the revisions of existing outdated departmental policies. In addition, officials stated that APHIS reviews and updates agency policies every 3-5 years, and that this schedule will be reflected in the updated departmental policy. In October 2019, the Agricultural Research Service (ARS) updated its agency policy for its institutional biological safety committee, the entity responsible for ensuring biosafety in its laboratories. As of July 2020, USDA estimated that revisions to the departmental, APHIS, and Food Safety and Inspection Service (FSIS) policies should be completed by December 2020. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should routinely analyze results of the department's laboratory inspections and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee efforts to collect and analyze laboratory inspection results and incident reports and share these reports and critical analyses with USDA senior leadership on an annual basis. As of July 2020, USDA estimated that revisions to its departmental policy-which would reflect the JCBMP's role in analyzing inspection results and incident reports, identifying potential trends, and sharing lessons learned-should be completed by October 2020. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of the results of department, agency, and select agent laboratory inspections to senior department officials.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee the revisions of existing policies to include requirements for routine reporting of inspection results to senior USDA officials. In July 2020, USDA estimated that these revisions should be completed by October 2020. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of incidents at agency laboratories to senior department officials.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee the revisions of existing policies to include requirements for routine reporting of laboratory incidents to senior USDA officials. In July 2020, USDA estimated that these revisions should be completed by October 2020. Officials stated that updates to component agency policies would be completed shortly after issuance of the departmental policy. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inventory control for all of DOD's high-containment laboratories, not just for its select agent-registered laboratories, or direct the Secretaries of the Air Force, Army, and Navy to revise their existing, respective policies to contain these requirements.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In June 2018, DOD stated that it had completed evaluation of existing DOD and service level guidance related to inventory control. DOD also stated that it will continue to analyze the adequacy of existing policy and the need to expand that policy across the DOD Lab Enterprise as the draft Department of Defense Manual (DoDM) 6055.18 is finalized for publication. As of August 2019, DoD said the draft DoDM 6055.18 was still in review and the agency estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Air Force and Army to review and update their respective outdated policies for managing hazardous biological agents in high-containment laboratories.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. DOD stated that it had updated the Air Force policy (AF Instruction 10-2611-0) as of January 19, 2017; this document updates the biological safety standards used in AF labs and implements the draft update to Department of Defense Manual 6055.18M: Safety Standards for Microbiological and Biomedical Laboratories. As of July 2019, DOD provided GAO with the updated Army policy AR 190-17; however DOD officials stated that as the draft Department of Defense Manual (DoDM) 6055.18 was still undergoing review, this recommendation should remain open. DOD estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of the results of Air Force, Army, and Navy inspections of non-select agent registered laboratories to senior department officials.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In August 2019, DOD reported that the Air Force is planning to close its BSAT program by the summer of 2019 and planning was underway to move the Air Force BSAT inventory to another DOD BSAT facility. Additionally, the Army was revising its AR 385-10, which contains biosafety criteria unique to the Army, and estimated the revision would be completed by December 2019. Finally, the draft Department of Defense Manual (DoDM) 6055.18 was still undergoing review, and DOD estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of laboratory incidents at Air Force, Army, and Navy non-select agent registered laboratories to senior department officials.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In August 2019, DOD reported that the Air Force is planning to close its BSAT program by the summer of 2019 and planning was underway to move the Air Force BSAT inventory to another DOD BSAT facility. Additionally, the Army was revising its AR 385-10, which contains biosafety criteria unique to the Army, to include a new mishap classification for biosafety mishaps to effect better reporting and analysis of these mishaps, and estimated the revision would be completed by December 2019. Finally, the draft Department of Defense Manual (DoDM) 6055.18 was still undergoing review, and DOD estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Army and Navy to require reporting of agency and select agent laboratory inspection results to senior agency officials.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. As of June 2018, DOD stated that the draft directive DODD 5101.XXE, which is expected to be published in October 2018, formally designates the Executive Agent Responsible Official for Biosafety and Biosecurity and will establish roles and responsibilities including a role for reporting inspection results. Further, DOD stated that all inspection results of a joint inspection team are provided to the Executive Agent Responsible Official, and that the joint inspection team was established in September 2016. As of September 2019, DOD officials had provided updated documentation regarding this recommendation, and GAO was reviewing these updates.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Director of CDC and the Commissioner of FDA to incorporate these requirements into their respective policies.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that both CDC and FDA were working to incorporate incident reporting requirements and time frames into formal agency policies and practices but did not provide an anticipated completion date. In summer 2017, CDC and FDA reported that they were continuing to incorporate incident reporting, which includes all laboratory incidents, accidents, injuries, infections, and near-misses, into formal agency policies. In August 2019, FDA reported that it continues to work with the Biosafety and Biosecurity Coordinating Council to establish a process for the routine reporting of these results but had not yet completed its actions. As of September 2019 we had not received an update from HHS on the status of CDC's implementation of this recommendation.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for training and inspections for all high-containment component agency laboratories and not just for their select-agent-registered laboratories; or direct the Director of CDC to provide these requirements in agency policies.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that CDC plans to revise its policies to include training and inspection requirements for inspections for all high-containment laboratories but did not provide an anticipated completion date. In June 2017, HHS reported that CDC was in the process of revising its formal policies to ensure they included requirements for training and inspections for all of the agency's high-containment laboratories but did not provide an anticipated completion date. In December 2017, HHS reported that CDC's policies were in the initial stages of the clearance process and anticipated they would be finalized in fall 2018. As of September 2019, HHS had not provided an update on the status of these policies.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of the results of agency and select agent laboratory inspections to senior department officials.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that CDC was working with FDA and NIH to establish a process for notifying HHS leadership of inspection results through the department's Biosafety and Biosecurity Coordinating Council. HHS did not provide us with an anticipated time frame for implementing this notification practice or when the agencies plan to begin notifying HHS of inspection results. In August 2019, FDA reported that it continues to work with the Biosafety and Biosecurity Coordinating Council to establish a process for the routine reporting of these results but had not yet completed its actions. As of September 2019, HHS had not provided an update on the status NIH's actions.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should direct the Director of NIH and the Commissioner of FDA to require routine reporting of the results of agency laboratory inspections--and in the case of FDA, require routine reporting of select agent inspection results--to senior agency officials.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that NIH's ongoing practice is to report the results of external inspections to senior agency officials and, in May 2016, developed a standard operating procedure that outlines this reporting process. In March 2017, NIH officials provided assurance that its Division of Occupational Safety and Health provides NIH's intramural governing body with information about NIH's safety performance at least annually; officials further assured that this information includes the overall results of annual inspections (or audits, as NIH calls them) of all NIH laboratories and discussion of the top 10 most report safety infractions for the year. GAO considers NIH to have implemented the recommended action. GAO will close the overall recommendation once FDA has taken equivalent, appropriate action. As of August 2019, FDA reported that the agency began piloting a standardized agency-wide laboratory safety inspection checklist to ensure that all laboratories are inspected rigorously and consistently. As part of the pilot, all laboratories were to be inspected during the first 3 quarters of the calendar year. The agency said it planned to aggregate the results of the inspections, and trends and significant findings would be reported to FDA senior leadership in the fourth quarter of 2019. GAO will continue to monitor FDA's actions to implement this recommendation.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of incidents at CDC, FDA, and NIH laboratories to senior department officials.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that its Biosafety and Biosecurity Council was working to establish incident reporting requirements for CDC, FDA, and NIH but did not provide an anticipated completion date. HHS noted that NIH formally adopted a standard operating procedure that lays out the agency's requirements for reporting incidents to senior officials. In August 2019, FDA reported that it continues to work with the Biosafety and Biosecurity Coordinating Council to establish a process for the routine reporting of these results but had not yet completed its actions. As of September 2019, HHS had not provided an update on the status of NIH or CDC actions.

Recommendation: Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services. For example, Congress could consider consolidating the number of federal agencies involved in overseeing the safety and soundness of depository institutions, combining the entities involved in overseeing the securities and derivatives markets, transferring the remaining prudential regulators' consumer protection authorities over large depository institutions to the Consumer Financial Protection Bureau, and the optimal role for the federal government in insurance regulation, among other considerations.

Agency: Congress
Status: Open

Comments: At least two bills have been introduced in the 115th Congress that would change the financial regulatory structure, to some degree, to address fragmented and overlapping regulatory authorities among agencies, as GAO suggested in February 2016. The Financial CHOICE Act of 2017 (H.R. 10) was introduced on April 26, 2017, passed the House in June 2017 and the Senate held hearings in July 2017. Among other things, the Financial CHOICE Act of 2017 calls for the federal financial regulatory agencies to implement policies and procedures to minimize the duplication of effort with respect to enforcement actions. For example, it eliminates the authority of the Consumer Financial Protection Bureau to supervise and examine financial institutions and also eliminates the regulatory and enforcement authority of the agency with respect to unfair, deceptive, and abusive acts and practices by depository institutions. Such actions could help reduce fragmentation and overlap in the financial regulatory structure. In addition, the Economic Growth, Regulatory Relief, and Consumer Protection Act (S.2155) was introduced on November 16, 2017 and passed in the Senate in March 2018. The bill, to some extent, may help address fragmentation, overlap, and duplication in the financial regulatory structure. For example, the bill helps to address fragmentation in insurance oversight by finding that the federal agencies and office involved in insurance regulation should achieve consensus with state insurance regulators when they participate in negotiations on insurance issues before any international forum of financial regulators or supervisors, and create an advisory committee to discuss and report on insurance policy issues including international issues. GAO will continue to monitor the reform efforts to determine the extent to which they could help to address fragmentation and overlap between the federal financial regulatory agencies and reduce opportunities for inefficiencies in the regulatory process and inconsistencies in how regulators conduct oversight activities over similar types of institutions, products, and risks.

Recommendation: Congress should consider whether legislative changes are necessary to align FSOC's authorities with its mission to respond to systemic risks. Congress could do so by making changes to FSOC's mission, its authorities, or both, or to the missions and authorities of one or more of the FSOC member agencies to support a stronger link between the responsibility and capacity to respond to systemic risks. In doing so, Congress could solicit information from FSOC on the effective scope of its collective designation authorities, including any gaps.

Agency: Congress
Status: Open

Comments: While some legislative action has been taken that may alter FSOC's authorities, it is not clear that the legislation would address GAO's February 2016 suggestion. The Financial CHOICE Act of 2017 (H.R. 10) was introduced on April 26, 2017, passed the House in June 2017, and the Senate held hearings in July 2017. The bill would change FSOC's authorities by repealing its authorities to designate non-bank financial institutions and financial market utilities (i.e., payment, clearing, and settlement systems) as "systemically important." In addition, the Economic Growth, Regulatory Relief, and Consumer Protection Act (S.2155) was introduced on November 16, 2017 and passed in the Senate in March 2018. The bill may alter some of FSOC's authorities. However, it is unclear if these acts would alter FSOC's mission to better align it with its authorities to respond to systemic risk or addresses a gap in systemic risk mitigation mechanisms. Without legislative changes that would align FSOC's authorities with its mission, FSOC may lack the tools it needs to comprehensively address systemic risks that may emerge and a gap will continue to exist in the mechanisms for mitigating systemic risks. GAO will continue to monitor the reform efforts to determine the extent to which they help to align FSOC's authorities with its mission to respond to systemic risks.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to track the value of advance premium tax credit and cost-sharing reduction (CSR) subsidies that are terminated or adjusted for failure to resolve application inconsistencies, and use this information to inform assessments of program risk and performance. (See related recommendation 7.)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported it considers this recommendation closed because it expanded the use of analytics to analyze the value of premium tax credit and CSR subsidies that are eliminated or adjusted for 2015 actions at the policy level, and that CMS continues to analyze the data to develop future operations changes. In May 2016, we requested documentation of these actions, including (1) information produced using the capability described; (2) ways in which this information is being used for analysis for purposes such as program operations, monitoring, risk assessment, or fraud cleaning; and (3) a description of the future operational changes contemplated based on the analyses done. However, as of December 2018, HHS officials had not provided GAO with evidence that the agency had implemented this recommendation. GAO said it would continue to monitor the agency's progress in this area. In March 2019, CMS reversed its initial concurrence with the recommendation, citing inability to obtain necessary data from another agency and a legal opinion on CSR subsidies. GAO kept the recommendation open, saying the developments HHS cited were irrelevant. In December 2019, after HHS reiterated its non-concurrence, GAO continued to maintain the recommendation as open.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to, in the case of CSR subsidies that are terminated or adjusted for failure to resolve application inconsistencies, consider and document, in conjunction with other agencies as relevant, whether it would be feasible to create a mechanism to recapture those costs, including whether additional statutory authority would be required to do so; and for actions determined to be feasible and reasonable, create a written plan and schedule for implementing them.

Agency: Department of Health and Human Services
Status: Open

Comments: As of December 2018, CMS officials said the Department of Health and Human Services (HHS) had received a legal opinion from the U.S. Attorney General regarding validity of CSR payments, which prompted the agency to halt the payments as of October 2017. CMS officials said that if the recommendation were to be implemented, it would amount to creating new rules and a process for a program feature that no longer exists. However, in January 2019, HHS indicated that the administration supports a legislative solution that would appropriate CSR payments, and GAO continues to monitor for relevant legislative action. If funding becomes available to restore CSR payments, then implementing this recommendation would aid CMS in reducing improper payments. In December 2019, CMS reversed its initial concurrence with the recommendation, citing the legal opinion. GAO, however, continued to maintain the recommendation as open.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to identify and implement procedures to resolve Social Security number inconsistencies where the Marketplace is unable to verify Social Security numbers or applicants do not provide them.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported that it considered this recommendation open and was working on implementing functionality for updating consumers' Social Security numbers (SSN) and their eligibility based on the correct SSN. HHS reported that is it targeting deployment of the SSN update functionality in 2017. However, as of December 2018, HHS officials had not provided GAO with evidence that the agency had implemented this recommendation. In December 2019, HHS told GAO it continues to evaluate steps necessary to implement the recommendation, and expects close-out by October 2020. We will continue to monitor the agency's progress in this area.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to reevaluate CMS's use of Prisoner Update Processing System (PUPS) incarceration data and make a determination to either (a) use the PUPS data, among other things, as an indicator of further research required in individual cases, and to develop an effective process to clear incarceration inconsistencies or terminate coverage, or (b) if no suitable process can be identified to verify incarceration status, accept applicant attestation on status in all cases, unless the attestation is not reasonably compatible with other information that may indicate incarceration, and forego the inconsistency process.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported it considers this recommendation closed because in 2015, it made the determination to no longer require application filers to submit documentation regarding incarceration status. We were aware of that determination, but the recommendation was to reevaluate use of PUPS from the specific standpoint of using the data as it was intended to be used as in indicator of further research and then draw a conclusion on the use of the data. In May 2016, we requested documentation demonstrating that in the period since we made this recommendation, CMS has undertaken the reevaluation in the fashion that we indicated. As of December 2018, HHS officials had not provided GAO with evidence that the agency had implemented this recommendation. In December 2019, HHS told GAO it continues to evaluate steps necessary to implement the recommendation, and expects close-out by October 2021. We will continue to monitor the agency's progress in this area.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to create a written plan and schedule for providing Marketplace call center representatives with access to information on the current status of eligibility documents submitted to CMS's documents processing contractor.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported that since May 2015, call center representatives have received daily updates on the status of eligibility documentation. HHS reported that it is working to provide call center representatives with real-time data. HHS reported it considers this February 2016 recommendation to be closed. In May 2016, GAO noted that its February 2016 recommendation was focused on providing such real-time capability and requested (1) confirmation that call center representatives currently have on-demand, real-time access to up-to-date, application-level document status; and documentation showing development and implementation of this capability; or (2) a written plan and schedule for providing this capability as recommended. However, as of December 2018, HHS officials had not provided GAO with evidence that the agency has implemented this recommendation. In December 2019, the agency provided new evidence in support of closure, for which GAO requested supporting information. We will continue to monitor the agency's progress in this area.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to fully document prior to implementation, and have readily available for inspection thereafter, any significant decision on qualified health plan enrollment and eligibility matters, with such documentation to include details such as policy objectives, supporting analysis, scope, and expected costs and effects.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported it considers this recommendation closed because CMS prepares an annual Marketplace and Related Programs Cycle Memo to fulfill reporting requirements for internal control. The Memo describes all significant eligibility and enrollment policy and process changes, including new internal key controls associated with these changes, and the 2015 Memo was released in September 2015. In May 2016, we notified HHS that its actions do not close the recommendation. Information contained in the Memos is after-the-fact and while useful, does not meet the full range of documentation contemplated by our recommendation, especially development and analysis of changes prior to implementation. As of December 2018, HHS officials had not provided GAO with evidence that the agency has implemented this recommendation. In December 2019, HHS reversed its initial concurrence with the recommendation and said it would provide additional information on that decision. We will continue to monitor the agency's progress in this area.

Recommendation: To provide greater compliance with the GIDEP reporting requirement among the DOD components and their defense supplier-base, the Undersecretary of Defense for Acquisition, Technology and Logistics should establish mechanisms for department-wide oversight of defense agencies' compliance with the GIDEP reporting requirement.

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: In providing comments to this report DOD concurred with this recommendation but has not completed actions to implement it. DOD has drafted new combined DOD instruction and guidance that addresses the process of reporting suspected counterfeit parts to GIDEP. As of August 2020, the document is still in the process of being formally approved. DOD estimated that it could be approved in the first quarter of fiscal year 2021.

Recommendation: To provide greater compliance with the GIDEP reporting requirement among the DOD components and their defense supplier-base, the Undersecretary of Defense for Acquisition, Technology and Logistics should develop a standardized process for determining the level of evidence needed to report a part as suspect counterfeit in GIDEP, such as a tiered reporting structure in GIDEP that provides an indication of where the suspect part is in the process of being assessed.

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: In providing comments to this report DOD concurred with this recommendation but has not completed actions to implement it. DOD has drafted new combined DOD instruction and guidance that addresses the process of reporting suspected counterfeit parts to GIDEP. As of August 2020, the document is still in the process of being formally approved. DOD estimated that it could be approved in the first quarter of fiscal year 2021.

Recommendation: To provide greater compliance with the GIDEP reporting requirement among the DOD components and their defense supplier-base, the Undersecretary of Defense for Acquisition, Technology and Logistics should develop guidance for when access to GIDEP reports should be limited to only government users or made available to industry.

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: In providing comments to this report DOD concurred with this recommendation but has not completed actions to implement it. DOD has drafted new combined DOD instruction and guidance that addresses the process of reporting suspected counterfeit parts to GIDEP. As of August 2020, the document is still in the process of being formally approved. DOD estimated that it could be approved in the first quarter of fiscal year 2021.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury, as the sector-specific agency for the financial services sector, continues to develop initiatives intended to enhance the sector's cybersecurity. In 2016, Treasury developed and promulgated a set of seven fundamental elements or critical building blocks for sector stakeholders' cybersecurity, disseminated a template for financial sector cyber exercises, and promoted the NIST Cybersecurity Framework throughout the sector. However, they have not provided evidence of metrics implemented, and the 2015 sector-specific plan does not include specific metrics to track and report on their effectiveness. We will continue to monitor Treasury's efforts to create specific metrics and related reports on the sector's cybersecurity progress.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (USDA), as the co-sector specific agency for the food and agriculture sector, with the Department of Health and Human Services (HHS) continues to implement cybersecurity-related activities for the sector. In particular, USDA, through the sector coordination council, routinely shares best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, USDA has hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As USDA and HHS continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS), as the co-sector specific agency for the food and agriculture sector, with the Department of Agriculture (USDA) continues to implement cybersecurity-related activities for the sector. In particular, through the sector coordination council, they routinely share best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, they have hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As HHS and USDA continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) continues to develop and implement activities in support of the water and wastewater sector's cybersecurity such as a cyber-attack risk assessment tool and cybersecurity training for sector partners. The 2015 water and wastewater sector-specific plan calls for assessing performance and reporting on sector cybersecurity progress; however, the plan does not state specific measures. In 2017, agency officials stated that the development of performance metrics in collaboration with sector partners was underway; however, EPA has not provided evidence of the metrics or any tracking effort. As EPA continues to carry out its sector-specific agency role, we will continue to monitor its efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities.

Recommendation: To improve the effectiveness of DOD's strategy for preventing sexual assault in the military, as part of the department's next biennial update to the 2014-16 sexual-assault prevention strategy, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to identify risk and protective factors for all of its domains, including the military community and its leaders.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In April 2019, DOD issued a Prevention Plan of Action (PPoA) that will serve as a framework for preventing sexual assault. The PPoA contains 29 actions DOD will take to implement the prevention strategy. In March 2020, DOD officials stated that they had chartered a Prevention Collaboration Forum, which consists of subject matter experts, to address destructive behaviors which may share the same risk and protective factors as sexual assault. Additionally, DOD officials stated that research had begun on identifying the department's risk and protective factors. The officials expected the completed risk studies to be published internally in April 2020 and June 2020. We will continue to monitor DOD's efforts and update the recommendation's status when more information becomes available.

Recommendation: To help improve DOD's ability to measure the effectiveness of the department's efforts in preventing sexual assault in the military, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military departments, to fully develop the department's performance measures for the prevention of sexual assault so that the measures include all key attributes of successful performance measures.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In April 2019, DOD issued a Prevention Plan of Action (PPoA) that will serve as a framework for a strategic approach to preventing sexual assault. The PPoA contains 29 actions DOD plans to take to implement the prevention strategy, and instructs DOD to continuously evaluate sexual assault prevention activities. In December 2019, DOD officials stated that they were in the process of conducting an assessment of each of the services' efforts to implement the prevention strategy. Additionally, DOD officials stated that they are developing a milestone report to be issued by the end of fiscal year 2020 that will include updates on all of the department's efforts to prevent sexual assault. DOD is also planning to issue a report in fiscal year 2023 that will include a complete evaluation of the department's efforts to prevent sexual assault. We will continue to monitor DOD's efforts and update the recommendation's status when more information becomes available.

Recommendation: To help ensure widespread adoption and implementation of DOD's sexual-assault prevention strategy and to fulfill its role as a framework that can assist leaders and planners in the development of appropriate tasks, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to ensure the military services' Sexual Assault Prevention and Response policies are aligned with the department's prevention strategy.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In April 2019, DOD issued a Prevention Plan of Action (PPoA) that will serve as a framework for a strategic approach to preventing sexual assault. The PPoA contains 29 actions DOD will take to implement the prevention strategy. The PPoA also directs the military services to review and revise their policies to reduce sexual assault and execute prevention activities. According to DOD officials, these efforts are currently underway. We will update the status of this recommendation when more information becomes available.

Recommendation: To balance combatant commanders' demands for forward presence with the Navy's needs to sustain a ready force over the long term and identify and mitigate risks consistent with Federal Standards for Internal Control, the Secretary of Defense should direct the Secretary of the Navy to, to fully implement its optimized fleet response plan, develop and implement a sustainable operational schedule for all ships homeported overseas.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation. In August 2015, the Navy reported that it had approved and implemented revised optimized fleet response plan schedules for all ships homeported overseas-six different operational schedules for various naval forces homeported in different overseas locations. We closed the recommendation as implemented in 2015. In 2017, the Navy suffered four significant mishaps at sea resulting in serious damage to its ships and the loss of 17 sailors. Three of the four ships involved were homeported in Japan. The resulting Navy investigations revealed that due to heavy operational demands, the Navy had not fully implemented the revised operational schedules it developed in 2015 for ships based in Japan. In light of this information, GAO re-opened this recommendation. As of February 2020, the Navy had developed a change to the operational schedule for ships homeported in Japan, but has not yet codified this change in Navy guidance. The Navy also established Commander, Naval Surface Group, Western Pacific (CNSGWP) to oversee surface ship maintenance, training, and certification for ships based in Japan. Due to continuing heavy operational demands, GAO will continue to monitor the Navy's adherence to the revised schedules before it closes this recommendation as implemented.

Recommendation: To improve the reliability and reporting of investment performance information and management of selected major investments, the Commissioner of the IRS should direct the Chief Technology Officer to modify reporting of the Affordable Care Act Administration testing status to senior management to include a comprehensive report on all impacted systems--including an explanation for why impacted systems were not tested at a particular level--and ensure this reporting is aligned with the manner in which testing is being performed.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with this recommendation at the time we made it stating that it followed a rigorous risk-based process for planning the tests of ACA-impacted systems, including the types and levels of testing, and that it had comprehensive reporting for the filing season 2015 release, which included ACA impacted systems. However, as noted in our report, our review of ACA Testing Review Checkpoint reports and filing season reports, which officials stated were used to provide comprehensive reports to senior managers, did not identify the status of testing for all systems impacted by ACA Releases 5.0 and 6.0. In September 2017, IRS finished developing ACA and the investment transitioned to the operations and maintenance phase. We followed up with IRS to determine the extent to which it might be implementing the recommendation in light of this transition. In response, in June and December 2019 , IRS provided some documentation, including systems acceptance test plans and end-of-test results reports for ACA releases completed since September 2017. We reviewed the documentation provided and determined that it did not provide a status of testing for all systems impacted as we recommended. As of September 2020, we were following up with IRS to determine if the agency has other documentation provided to senior managers that addresses our recommendation.

Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to enable DOD to better identify, address, and mitigate performance issues with the Autonomic Logistics Information System (ALIS) that could have an effect on affordability, as well as readiness, to establish a performance-measurement process for ALIS that includes, but is not limited to, performance metrics and targets that (1) are based on intended behavior of the system in actual operations and (2) tie system performance to user requirements.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with our recommendation. According to DOD officials, as of July 2018, plans are emerging between the services and the Joint Program Office on a path forward for ALIS, focusing on both the current iteration of ALIS and the future state. Going forward, the services and the Joint Program Office are developing plans for the necessary re-architecture of ALIS. Once these current improvements and future requirements are finalized, appropriate performance metrics, tying system performance in operations environments to user requirements, will be incorporated. As of January 2020, DOD officials stated that there was no update to this status. Although DOD has a way ahead as it relates to developing performance metrics for ALIS, DOD has yet to develop any metrics that are based on intended behavior of the system and tie system performance to user requirements. Until DOD takes this action, our recommendation will remain open.

Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to develop a high level of confidence that the aircraft will achieve its R+M goals, to develop a software reliability and maintainability (R+M) assessment process, with metrics, by which the program can monitor and determine the effect that software issues may have on overall F-35 R+M issues.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. According to DOD officials, as of July 2018, the department and the Joint Program Office, as part of their focus on agile software development, are working to incorporate software reliability and maintainability metrics into future software development and sustainment contracts. Some of the proposed metrics under consideration include: change failure rate; number of errors in developmental/user/operational testing; time to fix on critical errors; and mean time to restore. As of September 2019, DOD officials stated that there was no update to this status. Although attention is being paid to software Reliability & Maintainability, until DOD develops a process focused on software and its effects on overall Reliability & Maintainability issues, this recommendation will remain open.

Recommendation: To help DOD address key risks to F-35 affordability and operational readiness, and to improve the reliability of its O&S cost estimates for the life cycle of the program, the Secretary of Defense should direct the F-35 Program Executive Officer, to promote competition, address affordability, and inform its overarching sustainment strategy, to develop a long-term Intellectual Property (IP) Strategy to include, but not be limited to, the identification of (1) current levels of technical data rights ownership by the federal government and (2) all critical technical data needs and their associated costs.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with our recommendation. According to DOD officials, as of January 2020, in the updated F-35 Life Cycle Sustainment Plan (LCSP) issued in January 2019, "Secure Use of Appropriate Technical Data" was one of the identified elements of success necessary to improve F-35 readiness and reduce sustainment costs. As part of the ongoing Plans of Action & Milestones (POAM) implementation process for the LCSP success elements, the F-35 Joint Program Office is working with the OEMs to determine the data rights the government already has, and to determine the specific technical data the government needs, and what it needs that data to accomplish. Significant progress has been made on both fronts with the prime contractor. We acknowledge that progress surrounding technical data rights is being made; however, until an Intellectual Property strategy is developed and released, this recommendation will remain open.

Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to conduct the following assessments and use the results to inform updated DHS headquarters consolidation plans: (1) a comprehensive needs assessment and gap analysis of current and needed capabilities that take into consideration changing conditions, and (2) an alternatives analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the project and prioritizes options to account for funding instability.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of April 2020, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Required information includes a comprehensive assessment of property and facilities utilized by DHS in the National Capital Region, and an analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the consolidation project. DHS reported that DHS and GSA prepared a comprehensive response to P.L. No. 114-150, but that the consolidation plan and response needed to be revised based on changing budget circumstances, among other things. In April 2020, DHS estimated that the final consolidation plan will be completed and approved in 2020. GAO will review the latest information on DHS headquarters consolidation efforts when it is provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading capital planning practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.

Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to conduct the following assessments and use the results to inform updated DHS headquarters consolidation plans: (1) a comprehensive needs assessment and gap analysis of current and needed capabilities that take into consideration changing conditions, and (2) an alternatives analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the project and prioritizes options to account for funding instability.

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150), enacted on April 29, 2016, mirrors GAO recommendations in this area. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS's headquarters consolidation efforts not later than 120 days of enactment. As of April 2020, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Required information includes a comprehensive assessment of property and facilities utilized by DHS in the National Capital Region, and an analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the consolidation project. DHS reported that DHS and GSA prepared a comprehensive response to P.L. No. 114-150, but that the consolidation plan and response needed to be revised based on changing budget circumstances, among other things. In April 2020, DHS estimated that the final consolidation plan will be completed and approved in 2020. We will review the latest information on DHS's headquarters consolidation efforts when it is provided to Congress, and will assess the materials in the context of these recommendations at that time. Continued DHS and GSA attention to following leading practices for capital planning and cost and schedule estimation is critical given the project's multi-billion dollar cost and impact on future departmental operations.

Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, after revising the DHS headquarters consolidation plans, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to develop revised cost and schedule estimates for the remaining portions of the consolidation project that conform to GSA guidance and leading practices for cost and schedule estimation, including an independent evaluation of the estimates.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of April 2020, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Required information includes updated cost and schedule estimates for the consolidation project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. DHS reported that DHS and GSA prepared a comprehensive response to P.L. No. 114-150, but that the consolidation plan and response needed to be revised based on changing budget circumstances, among other things. In April 2020, DHS estimated that the final consolidation plan will be completed and approved in 2020. GAO will review the latest DHS headquarters consolidation cost and schedule estimates when they are provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading cost and schedule estimation practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.

Recommendation: In order to improve transparency and allow for more informed decision making by congressional leaders and DHS and GSA decision-makers, before requesting additional funding for the DHS headquarters consolidation project, after revising the DHS headquarters consolidation plans, the Secretary of Homeland Security and the Administrator of the General Services Administration should work jointly to develop revised cost and schedule estimates for the remaining portions of the consolidation project that conform to GSA guidance and leading practices for cost and schedule estimation, including an independent evaluation of the estimates.

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of April 2020, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Required information includes updated cost and schedule estimates for the consolidation project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. DHS reported that DHS and GSA prepared a comprehensive response to P.L. No. 114-150, but that the consolidation plan and response needed to be revised based on changing budget circumstances, among other things. In April 2020, DHS estimated that the final consolidation plan will be completed and approved in 2020. GAO will review the latest DHS headquarters consolidation cost and schedule estimates when they are provided to Congress, and will assess the materials in the context of this recommendation at that time. Continued DHS and GSA attention to following leading cost and schedule estimation practices is critical given the project's multi-billion dollar cost and impact on future departmental operations.

Recommendation: Congress should consider making future funding for the St. Elizabeths project contingent upon DHS and GSA developing a revised headquarters consolidation plan, for the remainder of the project, that conforms with leading practices and that (1) recognizes changes in workplace standards, (2) identifies which components are to be colocated at St. Elizabeths and in leased and owned space throughout the National Capital Region, and (3) develops and provides reliable cost and schedule estimates.

Agency: Congress
Status: Open

Comments: The Department of Homeland Security Headquarters Consolidation Accountability Act of 2015 (Pub. L. No. 114-150) was enacted on April 29, 2016. Among other things, the act requires DHS, in coordination with GSA, to submit information to Congress about DHS headquarters consolidation efforts not later than 120 days of enactment. As of March 2019, DHS and GSA had not submitted the information to Congress required by Pub. L. No. 114-150. Required information includes: a comprehensive assessment of property and facilities utilized by DHS in the National Capital Region; an analysis that identifies the costs and benefits of leasing and construction alternatives for the remainder of the consolidation project; and updated cost and schedule estimates for the project that are consistent with GAO's recommendations in GAO-14-648. Furthermore, the act requires the Comptroller General to evaluate the cost and schedule estimates not later than 90 days after their submittal to Congress. DHS reported that DHS and GSA prepared a comprehensive response to P.L. No. 114-150, but that the consolidation plan and response needed to be revised based on changing budget circumstances, among other things. In April 2020, DHS estimated that the final consolidation plan will be completed and approved in 2020. A comprehensive report to Congress on DHS headquarters consolidation, along with reliable project cost and schedule estimates, could inform Congress's funding decisions.

Recommendation: To improve the acquisition management of the Plan and the reliability of its cost estimates and schedules, assess the effectiveness of deployed technologies, and better inform CBP's deployment decisions, once data on asset assists are required to be recorded and tracked, the Commissioner of CBP should analyze available data on apprehensions and seizures and technological assists, in combination with other relevant performance metrics or indicators, as appropriate, to determine the contribution of surveillance technologies to CBP's border security efforts.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Priority recommendation

Comments: In 2014, CBP expanded its Arizona Border Surveillance Technology Plan to the Southwest Border Technology Plan. In February 2015, the Border Patrol took steps to address this recommendation by developing the Capability Gap Analysis Process (CGAP) with the support of Johns Hopkins University's Applied Physics Lab to examine the effects of technology and other assets. In May 2017, Border Patrol officials demonstrated a new system, intended to allow for more comprehensive analysis of the contributions of surveillance technologies to Border Patrol's mission during the CGAP process. As of March 2019, Border Patrol is now able to generate a performance report, using data collected from multiple systems, on how surveillance technologies have assisted agents during operations, including Border Patrol apprehensions. In February 2020 Border Patrol officials stated the data gathered in the report were reliable. They also provided examples of how they use available performance data to help identify gaps in capabilities and inform future investments in surveillance technologies. Border Patrol officials are also developing a surveillance capability score intended to represent the combined contributions of individual technology assets and agents on patrol to conduct surveillance in a given area. Border Patrol plans to report this score in fiscal year 2021, according to documentation provided by Border Patrol. We view these efforts, as described, as important progress toward fulfilling our recommendation, and will review the planned surveillance capability score once it is implemented to determine whether Border Patrol has fully implemented our recommendation.

Recommendation: To help maintain a more thorough and insightful 2020 Census development schedule in order to better manage risks to a successful 2020 Census, the Secretary of Commerce and Undersecretary of Economic Affairs should direct the U.S. Census Bureau to improve the credibility of schedules, including conducting a quantitative risk assessment.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Bureau agreed with this recommendation and stated that it had already begun maturing project schedules to ensure that the logical relationships between discrete schedules were put into place. Schedule integration sessions across projects and programs were held in late January 2014 and into February 2014 and periodically since then, where work was deconstructed into detailed schedules. The Bureau released its operational plan and other documentation in November 2015 and announced in June 2016 that it would finalize and release its 2020 Census schedule in July 2016. In 2015, the Bureau provided us with a preliminary output from its risk analysis software as a demonstration of the type of analysis it had committed to, but since then its officials have said that they will not be able to take all the steps needed to satisfy this recommendation for the 2020 Census. The Bureau took steps toward conducting quantitative schedule risk analyses with its master activity schedule for the 2020 Census, but effectively ran out of time to do so. Assigning resources to large complex schedules in order to conduct such analyses is easier to do early in schedule development process, as we recommended the Bureau do in 2009 for its 2020 Census schedule. This recommendation will remain open pending the Bureau taking steps to carry out quantitative risk assessments of its 2030 schedule with appropriate resources linked to it.

Recommendation: To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).

Agency: Department of Homeland Security
Status: Open

Comments: DHS officials had previously indicated that DHS's Office of Infrastructure Protection (IP) and Office of Cyber and Infrastructure Analysis (OCIA) have discussed an update of the GPS risk assessment. Additionally, information from DHS shows that DHS has continued other efforts to collect potentially relevant threat, vulnerability, and consequence data for various GPS equipment in use. For example, according to DHS officials, DHS has conducted visits to major maritime, finance, wireless communications, and electricity firms to gauge their understanding of GPS vulnerabilities and of technology- and strategy-based efforts to improve GPS resilience, and DHS documentation shows that DHS has held events to test GPS receivers as part of assessing vulnerabilities. In August 2020, DHS officials provided GAO with additional information regarding their progress on implementing the recommendation. We will update the status of this recommendation after we review the additional information from DHS.

Recommendation: To establish full-risk rates for properties with previously subsidized rates that reflect their risk for flooding, the Secretary of the Department of Homeland Security (DHS) should direct the FEMA Administrator to develop and implement a plan, including a timeline, to obtain needed elevation information as soon as practicable.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: As of January 2020, FEMA continues its multi-year effort to redesign its risk rating system to reflect industry best practices, such as providing credible, understandable rates based on graduated risk. As part of this redesign, FEMA plans to obtain multiple sources of data and information about a property's risk of flooding--from which it may be able to derive elevation information on some properties--to develop the insurance rate. FEMA has delayed implementation of the new risk rating system until 2021, pending further analysis. In addition, FEMA issued a Request for Information on obtaining structural elevation information from third party sources and is reviewing responses from potential vendors. The agency also encourages subsidized policyholders who seek to ensure the appropriateness of their NFIP rates to voluntarily submit elevation documentation. We will continue to monitor the extent to which FEMA is able to produce elevation information for all currently subsidized properties.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to estimating improper payments, to establish and implement key quality assurance procedures, such as reconciliations, to ensure the completeness and accuracy of the sampled populations.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: The Department of Defense (DOD), in concurring with this recommendation, stated that DOD will work with the Defense Finance and Accounting Service (DFAS) to implement key quality assurance procedures, such as reconciliations, to ensure the completeness and accuracy of sampled populations. In August 2017, DOD officials stated that its Office of the Under Secretary of Defense (Comptroller) will continue its work with DFAS to annually reconcile gross outlays (as stated on its Statement of Budgetary Resources) with outlays as reported in its Agency Financial Report. These reconciliations are currently done only on a summary level. In the future, DOD's validation of its universe of transactions combined with planned reconciliations with the Defense Departmental Reporting System trial balance and transaction data from DOD's entitlement systems will provide more complete reconciliations. As of December 2019, DOD officials stated that DOD needs to resolve its material weakness relating to the universe of transactions. This material weakness is preventing the department from performing the reconciliations necessary to ensure that the populations, from which the samples are drawn to estimate improper payments, are complete and accurate. As of May 2020, DOD had developed a spreadsheet including over 80 financial management and disbursing systems. The Office of the Under Secretary of Defense, OUSD(C), is planning to review and analyze these systems to (1) determine the types of payments and lists of systems used to process the types of payments; (2) confirm if reconciliations are done to verify the total outlays; and (3) determine the testing status of the universe of payments. As of September 30, 2020, this recommendation remains open.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to implementing recovery audits, to monitor the implementation of the revised FMR chapter on recovery audits to ensure that the components either develop recovery audits or demonstrate that it is not cost effective to do so.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: Department of Defense (DOD) officials, in concurring with this recommendation, stated that DOD would work with the applicable components to monitor the implementation of the revised Financial Management Regulation (FMR) chapter on recovery audits (subsequently renamed as payment recapture audits). According to DOD officials, this action would help to ensure that recovery audits are developed, or will demonstrate that it is not cost-effective to do these audits. In July 2015, DOD was working to update the FMR chapter on recovery audits to reflect revised Office of Management and Budget (OMB) guidance issued in October 2014. DOD issued its revised FMR chapter in November 2015. This chapter requires components to develop cost-effective payment recapture audits or to submit a quantitative justification to the Office of the Under Secretary (Comptroller) for approval. However, we consider this recommendation to be open because DOD did not provide documentation demonstrating that the Office of the Under Secretary of Defense (Comptroller) is monitoring component implementation of recovery auditing. Further, as of April 2017, DOD's efforts to develop cost-estimates for recovery audits were still under way. As of October 2018, this recommendation remains open. As of December 2019, DOD stated that in FY 2020, the Office of the Under Secretary (Comptroller) will coordinate with the DOD improper payment reporting components to analyze whether it would be cost effective to implement payment recapture audit programs for their payments. In a March 20, 2020 memorandum, the Deputy CFO asked DOD components, programs, or activities with annual payments exceeding $1 million to submit a payment recapture plan by June 30, 2020. If a component determines that payment recapture audits are not cost-effective, then the plan must provide the specific analysis and documentation used to reach that conclusion. When completed, the results of the evaluation will serve the Department's final position on payment recapture audit programs. As of September 30, 2020, this recommendation remains open as this evaluation was not yet complete.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to implementing recovery audits, to develop and submit to OMB for approval a payment recapture audit plan that fully complies with OMB guidance.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: Department of Defense (DOD) officials, in concurring with this recommendation, stated that DOD would develop and submit to the Office of Management and Budget (OMB) a payment recapture plan that fully complies with OMB guidance and is informed by a cost-effectiveness analysis. In July 2015, DOD's Office of the Under Secretary of Defense (Comptroller) efforts to develop a payment recapture audit plan to ensure cost-effectiveness were ongoing and these efforts must be completed before a plan can be submitted to the OMB. In June 2016, DOD officials stated that the Comptroller's efforts to develop a payment recapture audit plan to ensure cost-effectiveness were ongoing. As of August 28, 2017, DOD officials stated that the Office of the Under Secretary of Defense (Comptroller) will determine if a payment recapture audit plan was developed and submitted to OMB for approval in the previous fiscal years. If so, the Office of the Under Secretary of Defense (Comptroller) will determine its relevance and significance (i.e. cost effectiveness)to the improper payments program. If the payment recapture audit plan is considered to be applicable, the Office of the Under Secretary of Defense (Comptroller) will update the previous plan to comply with current OMB guidance. As of October 2018, this recommendation remains open. As of December 2019, DOD stated that in FY 2020, the Office of the Under Secretary (Comptroller) will coordinate with the DOD improper payment reporting components to analyze whether it would be cost effective to implement payment recapture audit programs for their payments. In a March 20, 2020 memorandum, the Deputy CFO asked DOD components, programs, or activities with annual payments exceeding $1 million to submit a payment recapture plan by June 30, 2020. If a component determines that payment recapture audits are not cost-effective, then the plan must provide the specific analysis and documentation used to reach that conclusion. When completed, the results of the evaluation will serve the Department's final position on payment recapture audit programs. As of September 30, 2020, this recommendation remains open as this evaluation was not yet complete..

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense (Comptroller), with regard to reporting, to design and implement procedures to ensure that the department's annual improper payment and recovery audit reporting is complete, accurate, and in compliance with IPERA and OMB guidance.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: Department of Defense (DOD) officials, in concurring with this recommendation, stated that DOD would design and implement procedures to further ensure that its annual improper payment and recovery audit reporting is complete, accurate, and in compliance with the Improper Payments Elimination and Recovery Act (IPERA) requirements and Office of Management and Budget (OMB) guidance. In June 2015, DOD revised its FMR chapter on improper payments to require components to provide information needed to report on improper payment and recovery audit activities in its annual financial report (AFR) in accordance with IPERA requirements and OMB guidance. DOD's fiscal year 2015 AFR reflected its implementation of the revised FMR. We found that DOD's improper payment reporting in its fiscal year 2015 AFR had improved. However, we were not provided with evidence that Office of the Under Secretary of Defense (Comptroller) is performing oversight and monitoring activities to ensure the accuracy and completeness of the improper payment and recovery audit data submitted by DOD components for inclusion in the AFR. DOD is continuing to work on procedures for ensuring that its reporting on improper payment and recovery audits is accurate, complete, and in compliance with IPERA and OMB guidance. The Office of the Under Secretary of Defense (Comptroller) has developed and implemented a Payment Integrity Checklist to ensure that the department's annual improper payment and recovery audit reporting was complete, accurate, and in compliance with IPERA and OMB guidance. However, the DOD Inspector General in its May 2020 report, stated that while DOD published improper payment estimates for all eight programs for fiscal year 2019, it did not publish reliable estimates for five of the eight programs: Military Health Benefits, Civilian Pay, Military Retirement, DOD Travel Pay, and Commercial Pay. Moreover, DOD did not use accurate populations in calculating the improper payment estimates for the Military Retirement, Commercial Pay, and DOD Travel Pay programs. Based on these issues affecting improper payment reporting, we consider this recommendation to be open as of September 30, 2020.

Recommendation: To ensure that EPA maximizes its limited resources and addresses the statutory, regulatory, and programmatic needs of EPA program offices and regions when IRIS toxicity assessments are not available, and once demand for the IRIS Program is determined, the EPA Administrator should direct the Deputy Administrator, in coordination with EPA's Science Advisor, to develop an agencywide strategy to address the unmet needs of EPA program offices and regions that includes, at a minimum: (1) coordination across EPA offices and with other federal research agencies to help identify and fill data gaps that preclude the agency from conducting IRIS toxicity assessments, and (2) guidance that describes alternative sources of toxicity information and when it would be appropriate to use them when IRIS values are not available, applicable, or current.

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of February 2020, IRIS program officials indicated that they are building capacity for applying systematic review in chemical assessments. We reported in March 2019 that staff from the IRIS program were communicating more frequently with EPA program and regional offices about program and regional office needs and the IRIS program's ability to meet those needs. While ORD's newly-implemented survey process helps identify a limited number of the highest priority needs for program and regional offices, we also reported in March 2019 that program and regional officials told us that they still need far more chemical assessments than the IRIS program currently produces, and they do not have EPA-wide guidance on what sources to use when IRIS assessments are not available. One program office has developed its own prioritized list of sources for chemical assessments when IRIS assessments are not available, and other offices follow similar guidelines, though none officially. EPA leadership needs to provide documentation showing an agency-wide strategy that includes identifying data gaps and guidance on alternative sources of toxicity information when IRIS values are not available, applicable, or current.

Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to include in its resource baseline cost estimates all life cycle costs, specifically the operations and support costs, from the military services in order to provide decision makers with the full costs of ballistic missile defense systems.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD partially concurred with our 2013 recommendation that decisionmakers should have insight into the full lifecycle costs of MDA's weapon systems outlined in the Ballistic Missile Defense System Accountability Report (BAR), including the military services' operations and sustainment (O&S) costs. This is especially important, as after more than a decade MDA has yet to transfer weapon systems in production and sustainment to the military services, as originally intended. Consequently, MDA is becoming responsible for an increasing amount of the costs associated with these weapon systems. DOD and Congress have expressed concerns over this situation and are exploring a path forward; however, in the mean time, determining the O&S costs can help decisionmakers fully understand the financial responsibility for these weapon systems, be it with the military services or MDA. MDA cited beginning to report aspects of this information in the BAR and also establishing joint cost estimates (JCE) for O&S with the military services for some weapon systems, both of which could potentially serve as a means of providing decisionmakers with insight into the full lifecycle costs. We have an ongoing assessment that will evaluate both of MDA's cited efforts and the extent to which these are providing decisionmakers with a comprehensive understanding of the depth and breadth of each weapon system's full lifecycle costs.

Recommendation: In order to strengthen investment decisions, place the chosen investments on a sound acquisition footing, provide a better means of tracking investment progress, and improve the management and transparency of the U.S. missile defense approach in Europe, the Secretary of Defense should direct MDA's new Director to stabilize the acquisition baselines, so that meaningful comparisons can be made over time that support oversight of those acquisitions.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with our 2013 recommendation regarding the need for MDA to stabilize its acquisition baselines, but also noted MDA's need to adjust its baselines to remain responsive to evolving requirements and threats; both of which are beyond MDA's control. Further, DOD highlighted the MDA Director's authority to make adjustments to the agency's programmatic baselines, within departmental guidelines. Our recommendation, however, is not designed to limit the Director's authority to adjust baselines or to prevent adjusting the baselines, as appropriate. Rather, our recommendation is designed to address traceability issues we have found with MDA's baselines, which are within its control. Specifically, for MDA to be able to effectively report longer-term progress of its acquisitions and provide the necessary transparency to Congress, it is critical that the agency stabilize its baselines so that once set, any revisions can be tracked over time. We have an ongoing assessment to update MDA's progress.

Recommendation: To better position EPA to collect chemical toxicity and exposure-related data and ensure chemical safety under existing TSCA authority, while balancing its workload, and to better position EPA to ensure chemical safety under existing TSCA authority, the Administrator of EPA should direct the appropriate offices to develop strategies for addressing challenges that impede the agency's ability to meet its goal of ensuring chemical safety. At a minimum, the strategies should address challenges associated with: (1) obtaining toxicity and exposure data needed to conduct ongoing and future TSCA Work Plan risk assessments, (2) gaining access to toxicity and exposure data provided to the European Chemicals Agency, (3) working with processors and processor associations to obtain exposure-related data, (4) banning or limiting the use of chemicals under section 6 of TSCA and planned actions for overcoming these challenges--including a description of other actions the agency plans to pursue in lieu of banning or limiting the use of chemicals, and (5) identifying the resources needed to conduct risk assessments and implement risk management decisions in order to meet its goal of ensuring chemical safety.

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of March 2020, several sections of this recommendation have been superseded by the Frank R. Lautenberg Chemical Safety for the 21st Century of 2016. However, questions remain about whether the Office of Chemical Safety and Pollution Prevention, which oversees implementation of this legislation, has identified the resources necessary to conduct risk assessments and implement risk management decisions.

Recommendation: To better enable CPSC to target unsafe consumer products, Congress may wish to amend section 29(f) of CPSA to allow CPSC greater ability to enter into information-sharing agreements with its foreign counterparts that permit reciprocal terms on disclosure of nonpublic information.

Agency: Congress
Status: Open

Comments: As of May 15, 2020, Section 29 of CPSA had not been amended since 2008. In 2013, a bill was introduced (S.1887) but not passed. That bill would have allowed "the Commission, when sharing information under the federal-state cooperation program with a foreign government agency for official law enforcement or consumer protection purposes, to authorize a foreign government agency to make that information available to another agency of the same foreign government (including a political subdivision of that foreign government that is located within the same territory or administrative area as the agency disclosing the information) if an appropriate official of the foreign government agency disclosing the information certifies (by prior agreement, memorandum of understanding with the CPSC, or other written certification) that it will establish and apply specified confidentiality restrictions under the Consumer Product Safety Act."

Recommendation: To better ensure the credibility of IRIS assessments by enhancing their timeliness and certainty, the EPA Administrator should require the Office of Research and Development, should different time frames be necessary, to establish a written policy that clearly describes the applicability of the time frames for each type of IRIS assessment and ensures that the time frames are realistic and provide greater predictability to stakeholders.

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of March 2020, we have not seen a formal written memo from the IRIS program laying out this information - in detail - publicly, or how timelines for assessments are influenced by various criteria. While IRIS program staff have discussed this issue, no written guidance has been created. Such communication from the IRIS Program, as well as more frequent updates of the timelines for chemicals currently in assessment and projected starting dates for every chemical listed as "under assessment" is needed.

Recommendation: To ensure that current and accurate information on chemicals that EPA plans to assess through IRIS is available to IRIS users--including stakeholders such as EPA program and regional offices, other federal agencies, and the public--the EPA Administrator should direct the Office of Research and Development to annually publish the IRIS agenda in the Federal Register each fiscal year.

Agency: Environmental Protection Agency
Status: Open

Comments: As of March 2020, EPA's Integrated Risk Information System (IRIS) Program has established the priority chemicals it is working on, and has published some timelines via the IRIS Program Outlook document. However, this information has not been published as an agenda in the Federal Register.

Recommendation: Because EPA alone cannot address the complexities of the nation's challenges in addressing environmental health risks for children, Congress may wish to consider re-establishing a government-wide task force on children's environmental health risks, similar to the one previously established by Executive Order 13045 and co-chaired by the Administrator of EPA and the Secretary of Health and Human Services. Congress may wish to consider charging it with identifying the principal environmental health threats to children and developing national strategies for addressing them. Congress may also wish to consider establishing in law the Executive Order's requirement for periodic reports about federal research findings and research needs regarding children's environmental health.

Agency: Congress
Status: Open

Comments: As of March 2020, we have not identified actions by the Congress to establish in law requirements such as those in Executive Order 13045.

Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to determine in advance the amounts built into the payment rates for estimated expenses and profit.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA's current payment rates do not explicitly consider WYO insurers' actual expenses and profit. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to annually analyze the amounts of actual expenses and profit in relation to the estimated amounts used in setting payment rates.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. However, GAO has reported that an annual analysis of the WYO insurers' actual expenses and profit could be regularly performed in relation to FEMA's existing payment methodology. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they would complete an annual analysis of WYO data by the end of fiscal year 2020 and that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To provide transparency and accountability over the payments FEMA makes to WYOs for expenses and profits, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to consider the results of the analysis of payments, actual expenses, and profit in evaluating the methods for paying WYOs.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To increase the usefulness of the data reported by WYOs to the National Association of Insurance Commissioners (NAIC) and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to take actions to obtain reasonable assurance that NAIC flood insurance expense data can be considered in setting payment rates that are appropriate, including identifying affiliated company profits in reported flood insurance expenses.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA can also take actions, in addition to any actions related to the rule, to develop method(s) for obtaining reasonable assurance that NAIC data is accurate and usable for setting payment rates before implementation of a new compensation methodology. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To increase the usefulness of the data reported by WYOs to the National Association NAIC and to institutionalize FEMA's use of such data, the Secretary of Homeland Security should direct the Under Secretary of Homeland Security, FEMA, to develop comprehensive data analysis strategies to annually test the quality of flood insurance data that WYOs report to NAIC.

Agency: Department of Homeland Security
Status: Open

Comments: According to FEMA officials, FEMA is responding to this recommendation as part of its development of a final rule on WYO compensation practices, required by the Biggert-Waters Act. FEMA can also take actions, in addition to any actions related to the rule, to develop and implement data analysis strategies to annually test the quality of flood insurance data WYO insurers report to NAIC before implementation of a new compensation methodology. FEMA issued an Advance Notice of Proposed Ruling on July 8, 2019 seeking comments by September 6, 2019 regarding possible approaches to incorporating actual flood insurance expense data into the WYO payment methodology. As of February 2020, FEMA officials said that they were reviewing comments received in response to the July 2019 notice.

Recommendation: To improve the management of the stockpile life extension program, the Administrator of NNSA should direct the Deputy Administrator for Defense Programs to develop a realistic schedule for the W76 warhead and future life extension programs that allows NNSA to (1) address technical challenges while meeting all military requirements and (2) build in time for unexpected technical challenges that may delay the program.

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: In past and ongoing work, GAO has identified areas where NNSA's modernization plans may not align with planned funding requests over the Future Years Nuclear Security Plan (FYNSP) and post-FYNSP periods. Based on the FY 2014 Stockpile Stewardship and Management Plan (SSMP), (GAO-14-45) NNSA plans to work on five life extension programs (LEP) or major alterations through 2038. The FY 2014 SSMP states that the LEP workload represents a resource and production throughput challenge that requires improvements in LEP planning and execution. GAO's analysis indicates there is limited contingency time built into the LEP schedules, all of which are technically ambitious. Any delays in schedules could lead to an increase in program costs or a reduction in the number built for any of the LEPs, both of which have occurred in prior and ongoing LEPs. While NNSA has acknowledged issues and identified some steps to improve the LEP process, this recommendation will remain open and unimplemented until NNSA demonstrates successful LEP and refurbishment execution. We reconfirmed this finding in GAO-17-341 where we found the following: In some cases, NNSA's FY 2017 nuclear security budget materials do not align with the agency's modernization plans, both within the 5-year FYNSP for fiscal years 2017 through 2021 and beyond, raising concerns about the affordability of NNSA's planned portfolio of modernization programs. As of June 2020, this situation has not been fully addressed as evidenced by cost increases and likely delays in the B61-12 and W88 ALTV programs; an aggressive schedule in the W80-4 program, and a large scope in the W87-1 warhead replacement. In addition, new programs contained in the 2018 Nuclear Posture Review and the announcement of a new development effort, the W93, may further stress NNSA's program.

Recommendation: To improve the management of the stockpile life extension program, the Administrator of NNSA should direct the Deputy Administrator for Defense Programs to ensure that the program managers responsible for overseeing the construction of new facilities directly related to future life extension programs coordinate with the program managers of such future programs to avoid the types of delays and problems faced with the construction and operation of the Fogbank manufacturing facility for the W76 program.

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: A number of Stockpile Stewardship and Management Plans (SSMP) state that the life extension program (LEP) workload represents a resource and production throughput challenge that requires improvements in LEP planning and execution. The officials elaborated that the main area that will be strained is pit production. NNSA's plutonium strategy needs to be resourced fully and implemented successfully by 2030 to support the W87 warhead replacement. Additionally, the officials said that the UPF project and an arrange of associated programmatic efforts need to be operational by 2025 or there will be challenges in completing all of the planned LEPs. In addition, NNSA needs to re-establish depleted uranium operations, construct a new lithium facility and establish a domestic uranium enrichment function for tritium production by the late 2020s to meet stockpile needs. As such, this recommendation remains open and, given the aggressive warhead and bomb modernization efforts proceeding in parallel with infrastructure modernization efforts, will likely remain open for some time.

Recommendation: To improve the management of the stockpile life extension program, the Administrator of NNSA should direct the Deputy Administrator for Defense Programs to ensure that program managers for the construction of new facilities for future life extensions base their schedule for the construction and start-up of a facility on the life extension program managers' needs identified in their risk mitigation strategies.

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: NNSA has generally improved its management of construction projects, to include requirements setting, Analysis of Alternatives, and independent cost estimates, among other items. However, it is too soon to tell if these positive developments will help--or hinder--LEPs that are underway or are being conducted. Key uranium activities, to include construction and operating funds will not be complete until 2025; key tritium and lithium programs and facilities will not complete until the 2030s; key plutonium activities are underway as well, but will not be complete until the late 2020s. As of June 2020, there are no significant changes related to this recommendation, and it will continue to remain open.

Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to take steps to ensure that its rate-setting methods and the data it uses to set rates result in full-risk premiums rates that accurately reflect the risk of losses from flooding. These steps should include, for example, verifying the accuracy of flood probabilities, damage estimates, and flood maps; ensuring that the effects of long-term planned and ongoing development, as well as climate change, are reflected in the flood probabilities used; and reevaluating the practice of aggregating risks across zones.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In April 2018, FEMA officials told us they had begun to redesign NFIP's risk rating system to help ensure policy rates better reflect the risk of flooding. The redesign, known as Risk Rating 2.0, includes efforts to use catastrophe models, stochastic approaches, and updated map information to better reflect the variation in flood risk. These reforms are also intended to improve how FEMA's rating process accounts for general and specific factors that affect flood probabilities and damage. While FEMA initially announced that new rates for all single-family homes would go into effect nationwide on October 1, 2020, it announced in November 2019 that it would defer implementation to October 1, 2021. FEMA said this would allow it to conduct a comprehensive analysis of the proposed rating structure so as to protect policyholders and minimize any unintentional negative effects of the transition, and that the new implementation date would cover all NFIP policies.

Recommendation: The Secretary of the Department of Homeland Security should direct FEMA to ensure that information is collected on the location, number, and losses associated with existing and newly created grandfathered properties in NFIP and to analyze the financial impact of these properties on the flood insurance program.

Agency: Department of Homeland Security
Status: Open

Comments: As of February 2020, FEMA officials said they had finished identifying properties with grandfathered premium rates and that they planned to analyze their economic implications as part of their efforts to update their premium rate setting approach, known as Risk Rating 2.0. FEMA plans to implement this redesign on October 1, 2021.

Recommendation: In order to develop an approach to decision making and the development of evidence on high-clockspeed trends affecting highway safety that are characterized by uncertainty, the Secretary of Transportation should consider and evaluate practices and principles for making decisions under conditions of uncertainty and for using data in such decision making and, on that basis, develop an approach to guide decision making on high-clockspeed trends that, although somewhat uncertain, may affect highway safety.

Agency: Department of Transportation
Status: Open

Comments: In GAO-09-56, GAO recommended the Secretary of Transportation consider and evaluate practices and principles for making conditions under uncertainty and for using data in light of issues encountered in developing evidence on high-clockspeed trends affecting highway safety that are characterized by uncertainty. GAO had studied driver distraction involving electronic devices, in particular cell phones with texting capability and identified these evolving electronic devices as a high clockspeed trend. DOT reports several actions on distracted driving, specifically: (1) an Executive Order to federal employees not to engage in text messaging while driving government-owned vehicles; when using electronic equipment supplied by the government while driving; or while driving privately owned vehicles when they are on official business; (2) the Secretary called on state and local governments to (a) make distracted driving part of their state highway plans, (b) pass state and local laws against distracted driving in all types of vehicles, (c) back up public awareness campaigns with high-visibility enforcement actions; (3) the Secretary directed the Department to establish an on-line clearinghouse on the risks of distracted driving and also (4) pledged to continue the Department's research on how to best combat distracted driving. DOT also notes that the Department's www.distraction.gov website provides information on the latest data on distracted driving and that 34 states have passed laws against texting and driving since the 2009 announcement by the Secretary of DOT.

Recommendation: The Secretary of Transportation should evaluate whether or not new approaches to data collection are needed to better track new trends related to highway safety.

Agency: Department of Transportation
Status: Open

Comments: DOT has not responded to this recommendation.

Recommendation: In order to improve the information available to the Congress for reauthorization, the Secretary of Transportation should analyze and report on trends currently anticipated to affect highway safety through 2020 and beyond in a systematic fashion--including information on high-clockspeed trends, discussion of evidence about these and other individual trends, their implications and potential interactions, and DOT responses.

Agency: Department of Transportation
Status: Open

Comments: DOT has not responded to this recommendation, but DOT announced a distracted driving summit September 30-October 1, 2009, with a limited number of invitees, and invited the GAO Assistant Director on this report to participate. U.S. Transportation Secretary Ray LaHood stated that the purpose of the summit is to "to address the dangers of text-messaging and other distractions behind the wheel." The summit will include "senior transportation officials, elected officials, safety advocates, law enforcement representatives and academics" who will convene in Washington, DC "to discuss ideas about how to combat distracted driving."

Recommendation: In order to improve the information available to the Congress for reauthorization, the Secretary of Transportation should determine, in consultation with relevant congressional committees, schedules for periodic reporting that will be sufficiently frequent to update the Congress on fast-changing trends.

Agency: Department of Transportation
Status: Open

Comments: DOT has not responded to this recommendation.

Recommendation: To help states identify and address quality-of-care concerns among individuals with developmental disabilities receiving Medicaid HCBS waiver services, the Administrator of CMS should encourage states to (1) include death as a critical incident and conduct mortality reviews if they do not already do so and (2) broaden their mortality review processes if they already include death as a critical incident and conduct mortality reviews.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: As of August 2020, CMS had taken some steps to address this recommendation but additional actions are needed to fully implement it. In June 2018 CMS issued a Medicaid update to states explaining that CMS strongly encourages them to include unexpected deaths in their definition of reportable critical incidents. CMS also stated in the update that states should conduct a preliminary review of all beneficiary deaths and investigations should focus on those deaths determined to be unexpected. Further, CMS has shared with states best practices for state mortality reviews that include, for example, the use of an interdisciplinary review committee and taking actions to address identified quality of care problems. CMS also developed a webinar training (Incident Management 101) to help states improve their incident management systems for the Medicaid HCBS waiver. The webinar outlines the key elements of building a comprehensive incident management system (e.g., establishing a process for conducting investigations of incidents, tracking and trending incidents to help prevent and mitigate incidents from occurring) and reiterates CMS's expectation that states identify and address unexplained deaths on an ongoing basis in order to meet the waiver's health and welfare assurance. In late 2018, CMS planned to include in its revised waiver application questions to determine practices regarding states' review and evaluation of unexpected deaths. In September 2019, CMS officials notified us that it will provide an updated status report on this recommendation in November 2019. As of August 2020, CMS officials have not provided us information regarding its revised waiver application and technical guide. We will update the status of this recommendation when we receive this information.

Recommendation: To develop timely chemical risk information that EPA needs to effectively conduct its mission, the Administrator, EPA, should require the Office of Research and Development to re-evaluate its draft proposed changes to the IRIS assessment process in light of the issues raised in this report and ensure that any revised process periodically assesses the level of resources that should be dedicated to this significant program to meet user needs and maintain a viable IRIS database.

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of February 2020, EPA officials indicated that the IRIS Program had almost completed internal review of a "Handbook for Developing IRIS Assessments," intended to guide staff through the sequential stages of the IRIS assessment process and ensure consistency across assessments. The Handbook, when finalized and used by staff, codifies the agency's effort to reevaluate their assessment process, but doesn't address the resources that should be dedicated to the IRIS Program. A workforce plan that includes both staff and budget resources consistent with user needs is necessary. As we reported in March 2019, the program has made strides utilizing project management software and project management techniques that enable the IRIS Program to better plan assessment schedules and utilize staff. However, we also reported in March 2019 that the President's budget requests since fiscal year 2018 have repeatedly cut the budget by as much as 40 percent for the Health and Environmental Risk Assessment (HERA) area, of which IRIS is a part. While these cuts were not enacted by Congress, the President's fiscal year 2021 budget request again cuts the HERA program by 34 percent, or approximately $12.7 million dollars. These cuts could have an impact on the IRIS program's ability to meet EPA program and regional office needs, if enacted by Congress.

Recommendation: In order to improve freight mobility by more clearly defining the federal role in the freight transportation network and to begin to align federal investments with economically significant national benefits, the Secretary of Transportation should develop with Congress and public and private sector stakeholders a comprehensive national strategy for freight transportation. This national strategy should include defining the federal role and national interests in freight transportation, including economically-based and objective criteria to identify areas of national significance for freight transportation and to determine whether federal funds are required in those areas.

Agency: Department of Transportation
Status: Open

Comments: To fully implement this recommendation, DOT should complete and issue a National Freight Strategic Plan. As part of the development of the National Freight Strategic Plan, DOT should include defining the federal role in freight transportation, including economically-based and objective criteria to identify areas of national significance for freight transportation and to determine whether federal funds are required in those areas. As of February 2020, DOT had not issued the National Freight Strategic Plan and DOT officials said they were planning to issue the strategy by the end of 2020.

Recommendation: In order to improve freight mobility by more clearly defining the federal role in the freight transportation network and to begin to align federal investments with economically significant national benefits, the Secretary of Transportation should develop with Congress and public and private sector stakeholders a comprehensive national strategy for freight transportation. This national strategy should include establishing the roles of regional, state, and local governments, as well as the private sector.

Agency: Department of Transportation
Status: Open

Comments: To fully implement this recommendation, DOT should complete and issue a National Freight Strategic Plan. As part of the development of the National Freight Strategic Plan, DOT should include establishing the roles of regional, state, and local governments, as well as the private sector. As of February 2020, DOT had not issued the National Freight Strategic Plan and DOT officials said they were planning to issue the strategy by the end of 2020.

Recommendation: In order to improve freight mobility by more clearly defining the federal role in the freight transportation network and to begin to align federal investments with economically significant national benefits, the Secretary of Transportation should develop with Congress and public and private sector stakeholders a comprehensive national strategy for freight transportation. This national strategy should include using new or existing federal funding sources and mechanisms to support a targeted, cost-effective, and sustainable federal role in freight transportation.

Agency: Department of Transportation
Status: Open

Comments: To fully implement this recommendation, DOT should complete and issue a National Freight Strategic Plan. As part of the development of the National Freight Strategic Plan, DOT should include using new or existing federal funding sources and mechanisms to support a targeted, cost-effective, and sustainable federal role in freight transportation. As of February 2020, DOT had not issued the National Freight Strategic Plan and DOT officials said they were planning to issue the strategy by the end of 2020.

Recommendation: The Secretary of the Interior should direct the Deputy Assistant Secretary for Insular Affairs to develop a framework for OIA employees to use in conducting site visits to help ensure objectives are achieved, to assure that relevant information is shared with responsible officials, and to allow more efficient and effective monitoring of issues.

Agency: Department of the Interior
Status: Open

Comments: On May 24, 2017, the Department of Interior (DOI) sent out an email to its staff showing the dissemination of the new format required for completing trip reports by the staff of the Office of Insular Affairs (OIA). The new format requires staff to include travel justification (i.e., purpose/objective, location, and travel period) and trip report (i.e., meetings, site visits, results, and next steps, as applicable.) The intent of the recommendation is for DOI to have a framework that includes (1) status of required single audit reports; (2) the progress of actions to resolve reported internal control weaknesses; and (3) current needs for technical assistance, capacity building, and staff level expertise. Further, the intent of GAO's recommendation is that this information be integrated into a comprehensive monitoring process. We did not see these elements included in DOI's new format. At present, the agency has been unable to provide additional information that supports the development of a framework for conducting sites visits that incorporates procedures about how information will be shared and monitored. In August 2020, the agency informed us that it has taken additional corrective actions some time ago and is in the process of trying to locate the supporting documentation. We will continue to monitor the agency's actions to address this recommendation.