Recommendation: The Administrator of FEMA should plan and conduct regular fraud risk assessments of PA emergency work grants to determine a fraud risk profile that aligns with leading practices as provided in the Fraud Risk Framework. Specifically, this process should include (1) identifying inherent fraud risks to PA grant funds, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, (4) examining the suitability of existing fraud controls, and (5) documenting the fraud risk profile. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should designate one entity as the lead entity with responsibility for providing oversight of agency-wide efforts to manage fraud risks to PA emergency work grants, including managing the fraud risk assessment process, consistent with leading practices. (Recommendation 2)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should update key training and guidance documents for the PA grant program to include information on where and how to report suspected fraud, and direct PA recipients to include such information in key training and guidance documents they provide to subrecipients. (Recommendation 3)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should update key resources, such as training and guidance documents, FEMA makes available to PA applicants to ensure these resources consistently communicate information on the highest fraud risks to PA emergency work grant funds and applicants' responsibilities for managing those risks. The highest fraud risks may include risks related to procurement and debris removal, and other risks FEMA identifies through fraud risk assessments. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of FEMA should implement program-specific antifraud training for PA staff who work directly with PA applicants; this training should include information on the highest fraud risks to PA emergency work grants. The highest fraud risks may include risks related to procurement and debris removal, and other risks FEMA identifies through fraud risk assessments. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector's ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should direct and coordinate with the Chief Executive Officer of USAC to comprehensively assess fraud risks to the E-rate program, including implementing their respective plans for developing periodic fraud risk assessments, examining the suitability of existing fraud controls, and compiling fraud risk profiles following the timelines described in this report. The assessments should be informed by the key fraud risks identified in this report from closed court cases, prior risk assessments, and OIG reports, among other sources. (Recommendation 1)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should ensure that FCC and USAC follow the leading practices in GAO's Fraud Risk Framework when designing and implementing data-analytics activities to prevent and detect fraud as part of their respective antifraud strategies for the E-rate program. (Recommendation 2)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of FCC should direct the Chief Executive Officer of USAC to clearly define and fully document the data fields in all relevant E-rate program computer systems to help improve FCC's ability to understand and use data to manage fraud risks. (Recommendation 3)

Agency: Federal Communications Commission
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Division Director for Risk Management Supervision (RMS) should require case managers to document how high-risk areas in the scoping plan were considered by the examination team if they were not addressed in the examination report. (Recommendation 1)

Agency: Federal Deposit Insurance Corporation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Division Director for RMS should implement policies to require that higher-level managers review case managers' documentation that describes whether banks have fully addressed MRBAs. (Recommendation 2)

Agency: Federal Deposit Insurance Corporation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Division Director for RMS should revise examination documentation retention policies to increase the retention period beyond one examination cycle for banks with satisfactory or better composite ratings. (Recommendation 3)

Agency: Federal Deposit Insurance Corporation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FDIC Chairman should direct RMS and the Legal Division Ethics Unit to develop a process for systematically requesting and collecting information on where departing examiners, including examiners-in-charge, enter into employment after leaving FDIC. (Recommendation 4)

Agency: Federal Deposit Insurance Corporation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 7)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 8)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FAA Administrator should configure its CDM tools to compare configuration settings against federal core benchmarks and agency-specific variations applicable to its environment. (Recommendation 9)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools. (Recommendation 10)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 11)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of IHS should configure its CDM tools to compare configuration settings against federal core benchmarks applicable to its environment. (Recommendation 12)

Agency: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 13)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 14)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The SBA Administrator should configure its CDM tools to compare configuration settings against agency-specific benchmarks applicable to its environment. (Recommendation 15)

Agency: Small Business Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator for USAID should communicate to all missions and bureaus the expectation that they report data on all funding attributed to the key issue of indirect climate adaptation. (Recommendation 1)

Agency: United States Agency for International Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should require the W80-4 program, when it issues its baseline cost report prior to entry into phase 6.4, to adopt a date for the delivery of a first production unit, and dates for other key program milestones, based on the program's current schedule risk analysis, or document its justification for adopting alternative schedules and milestones based on other factors. If necessary, the Administrator should alert the Secretary of Energy to the need to engage in the extension or notification processes identified in statute for adopting a first production unit delivery date after September 2025. (Recommendation 1)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The NNSA Administrator should revise the Program Execution Instruction or other related directives to require future LEPs and nuclear weapon modernization programs of similar complexity, when they issue a WDCR or baseline cost report, to establish program schedules and key milestone dates (including the FPU delivery date) on the basis of a formal schedule risk analysis that aligns with best practices, or document the justification for any decision to adopt alternative schedules and milestones based on other factors. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider establishing a pilot program with leadership from a defined federal organizational arrangement to identify and provide assistance to climate migration projects for communities that express affirmative interest in relocation as a resilience strategy. Such a pilot program could be designed for success by considering the key factors we identified in this report. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: As of August 19, 2020, no action had been taken to establish a pilot program to identify and provide assistance to climate migration projects.

Recommendation: The Secretary of the Air Force should develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. These procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives. (Recommendation 1)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation and highlighted steps taken or planned to address this recommendation. Specifically, in FY19, the Air Force assessed the current-state of the risk management programs throughout the Air Force and developed a maturity model, implementation plan, and a governance structure to comply with OMB A-123 requirements. These enhancements will be implemented and formalized in policy in FY20. Further, beginning in FY19, the Air Force Senior Assessment Team (SAT) and the Senior Management Council (SMC) monitored corrective action plans for material weaknesses identified internally and by independent public accountants, including their impact on the Air Force's ability to achieve its enterprise objectives. In addition, the Air Force developed a process for the SAT and the SMC to discuss corrective action plans for material weaknesses on a quarterly basis as opposed to an annual basis, which will be evidenced in the form of board briefings and meeting minutes. Additionally, in FY19 the Air Force engaged the Enterprise Productivity Improvement Council to serve as the Air Force Risk Management Council (RMC) to oversee enterprise risk management as defined by their Charter, which was signed in February 2020. The Air Force will refine its policies and procedures to clearly specify the risks associated with the material weaknesses being addressed by the Air Force governance boards. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require (1) clearly delineating who within the Air Force is responsible for evaluating the internal control components and principles, how often they are to perform the evaluation, the level (e.g., entity or transactional) of the evaluation, what objectives are covered in the assessment, to whom to communicate the results if they are relevant to others performing assessments of internal control, and what guidance to follow; (2) documenting management's determination of whether each component and principle is designed, implemented, and operating effectively; and (3) documenting management's determination of whether components are operating together in an integrated manner. (Recommendation 2)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation and described steps taken or planned to address the recommendation. The Air Force SAF/FM performs both entity-level control assessments against all internal control components and principles and performs process level control assessments for internal controls over financial reporting and financial systems. The Air Force Audit Agency and the Air Force Inspector General have performed assessments related to operations and compliance. The Air Force will document those roles and responsibilities in formal policies. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require the use of test plans that (1) tie back to specific objectives to be achieved as included in the Business Operations Plan; (2) specify the nature, scope, and timing of procedures to conduct under the OMB Circular No. A-123 assessment process; and (3) reflect a consideration of prior year self-identified control deficiencies and results of internal and external audits. (Recommendation 3)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation and described steps taken or planned to address this recommendation. The Air Force test plans for internal controls over financial reporting and financial systems tie back to their relevant risk frameworks embedded in authoritative audit guidance. The framework used for financial reporting is the Financial Audit Manual, and the framework used for financial systems is the Federal Information Systems Controls Audit Manual, and include the nature, scope and timing of procedures performed. The Air Force's process-level internal control test plans are aligned with business process-level risks and objectives and are not directly associated with the Air Force's strategic objectives. The Air Force Business Operations Plan identifies strategic objectives, not business process-level objectives. Additionally, the Air Force considers previously identified internal control deficiencies in its annual documented internal control assessment scoping process. The Air Force will refine its policies and procedures regarding the use of test plans including operational and compliance controls. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022.

Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to validate (1) the number of organizational units reporting for its overall internal control assessment; (2) how control procedures were tested, what results were achieved, and how conclusions were derived from those results; and (3) whether the results used to compile the current year report are based on current fiscal year's assessments. (Recommendation 4)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation. The Air Force will design policies and procedures to determine assessable units and verify that results are current on an annual basis. Due to the need to reevaluate the Air Force's assessable unit structure and the associated change management that will be necessary to implement the changes to sustain an effective program, the Air Force plans to refine the policies by September 2021 and publish the policies by September 2022.

Recommendation: The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to assess how waivers affect the current year assessment of internal control, the determination of systemic weaknesses, and the compilation of the Air Force's overall Statement of Assurance. (Recommendation 5)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation. The Air Force will design policies and procedures to consider the impact of waivers to the overall assessment of the system of internal control. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

Recommendation: The Secretary of the Air Force should require that developers of the policy and related guidance associated with designing the procedures for conducting OMB Circular No. A-123 assessments receive recurring training and are appropriately skilled in conducting internal control assessments and are familiar with Standards for Internal Control in the Federal Government. (Recommendation 6)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation and described steps taken or planned to address the recommendation. Specifically, the Air Force is implementing multiple changes to the Air Force's ERM and internal control program, including improved governance, standardized processes and documentation for enterprise risk management, entity-level and process-level controls, training, fraud risk management, and data quality management. Training content in FY20 was updated to reflect additional information, including definitions for internal controls and considerations for determining material weaknesses for operations. The Air Force will continue to update its the policies, guidance, and training to coincide with the current progress of the program. The Air Force will continue to refine the audience of its training to verify that those responsible for implementing and assessing ERM and internal controls are trained sufficiently. Due to the need for policy, procedure, documentation, and training updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, documentation, and training by September 2021 and publish the associated policies by September 2022.

Recommendation: The Secretary of the Air Force should analyze all definitions included in Air Force ERM and internal control assessment policy and related guidance to ensure that all definitions and concepts are defined correctly. (Recommendation 7)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation. The Air Force will verify that all definitions and concepts in its policies are current and consistent with other authoritative guidance. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies by September 2020 and publish the policies by September 2021.

Recommendation: The Secretary of the Air Force should require SAF/FM to design recurring training for those who will assess internal control that (1) includes enhancing their skills in evaluating the internal control system and documenting results; (2) reflects all OMB Circular No. A-123 requirements, such as those related to identifying objectives, evaluating deficiencies, and determining material weaknesses; and (3) is provided to all who are responsible for performing internal control assessments. (Recommendation 8)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation and described actions taken or planned to address the recommendation. Specifically, the Air Force performs annual training to Major Commands, Direct Reporting Units, and Functional Executives. In FY20, the Air Force included business process assessable leads in this training. The Air Force plans to continue to refine the audience of its training to verify that those responsible for implementing and assessing ERM and internal controls are trained sufficiently by September 2021.

Recommendation: The Secretary of the Air Force should develop policy or procedures consistent with OMB Circular No. A-123 to assess the system of internal control using a risk-based approach. (Recommendation 9)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation and described actions taken or planned to address the recommendation. Specifically, the Air Force's scoping procedures, beginning in FY19, consider materiality, both quantitative and qualitative risk, as well as risks identified in the enterprise risk management process. The Air Force assesses internal controls over financial reporting and financial systems using a risk-based approach as evidenced currently in documented procedures and testing templates. The Air Force will refine its procedure documentation to include the assessment of internal controls over operations and compliance using a risk-based approach. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022.

Recommendation: The Secretary of the Air Force should develop procedures to assess internal control over processes related to mission-critical assets, including (1) tests of design that evaluate whether controls are capable of achieving objectives, (2) tests of effectiveness only after a favorable assessment of the design of the control, and (3) a baseline that has accurate descriptions of business processes and identifies key internal controls as designed by management to respond to risks. (Recommendation 10)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation and described actions taken or planned to address the recommendation. The Air Force documents processes and assesses internal controls over financial reporting and financial systems related to mission critical assets that includes determinations as to internal control design, implementation, operating effectiveness and risks. The Air Force will enhance its approach for documenting processes and assessing internal controls over operations and compliance not related to financial reporting and financial systems through policy. Due to the need for policy, procedure, and documentation updates required for operational and compliance controls related to mission-critical assets, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, and documentation by September 2021 and publish the associated policies by September 2022.

Recommendation: The Secretary of the Air Force should establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to mission-critical assets, that will be considered in the Secretary's Statement of Assurance. (Recommendation 11)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation. The Air Force reports material weaknesses in internal controls over financial reporting and financial systems related to mission critical assets through SAF/FM, but it will solidify its reporting channels for material weaknesses in internal controls over operations and compliance through policy. Due to the need for policy, procedure, documentation, and training updates required to appropriately report deficiencies in internal control over operations and compliance, and the coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, the Air Force plans to refine the policies, procedures, documentation, and training by September 2021 and publish the associated policies by September 2022.

Recommendation: The Secretary of the Air Force should develop procedures to require coordination between business process leads and the Air Force's unit managers to ensure that mission-critical asset–related internal control deficiencies are considered in the unit managers' assessments of internal control and related supporting statements of assurance. These procedures should include how, when, and with what frequency the results from the business process internal control reviews should be provided to relevant organizational units for consideration in their respective assurance statements. (Recommendation 12)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: The DOD concurred with this recommendation. The Air Force will develop procedures to enhance communication between business process leads and Air Force unit managers to verify that deficiencies are reported appropriately in supporting statements of assurance. Due to the need for coordination across multiple Air Force organizations to seek input, approve, and concur with policy changes, as well as the change management needed to implement additional communications and protocol processes, the Air Force plans to refine the policies by September 2021 and publish the policies by September 2022.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to, in coordination with the Office of Program Accountability and Risk Management, develop a risk-based approach for reviewing service requirements—through the Procurement Strategy Roadmap or other means—to ensure proposed service requirements are clearly defined and reviewed before planning how they are to be procured. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS disagreed with our recommendation, preferring to maintain the status quo in its policy and procedures. However, by doing so, DHS is missing important opportunities to prevent negative acquisition outcomes and the potential for wasted resources. In its response, DHS noted its processes for major acquisitions, however, DHS service programs and contracts did not rise to the level of being classified a major service acquisition.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to document the factors the Office of the Chief Procurement Officer considers when waiving procurement actions from its Procurement Strategy Roadmap to ensure it is consistently considering potential acquisition risks in its planning—including those specific to services. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation, maintaining that the factors considered when waiving a Procurement Strategy Roadmap are not static. We believe, however, that documenting the factors considered will help ensure that the decisions to waive the Procurement Strategy Roadmaps are made consistently, transparently, and help maintain institutional knowledge.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to update the Inherently Governmental and Critical Functions Analysis to require the identification of special interest functions. (Recommendation 3)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it will update the Inherently Governmental and Critical Functions Analysis job aid to require the identification of a special interest function when applicable.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to update the Inherently Governmental and Critical Functions Analysis to provide guidance for analyzing, documenting, and updating the federal workforce needed to perform or oversee service contracts requiring heightened management attention. (Recommendation 4)

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation maintaining that the components are certifying that they have sufficient internal capacity or federal employees available for oversight within the Inherently Governmental and Critical Functions Analysis. We continue to believe, however, that without guidance, each component is making its own determination about which factors to consider, and DHS does not know how or whether the components are considering the federal workforce available to oversee service contracts in need of heightened management attention, or what steps, if any, the components are taking to mitigate risks if there are not enough federal personnel available to oversee the contracts after award.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Procurement Officer to develop guidance identifying oversight tasks or safeguards personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental functions, special interest functions, or critical functions. (Recommendation 5)

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it will develop guidance that identifies oversight tasks or safeguards that personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental, special interest, or critical functions.

Recommendation: The Secretary of Homeland Security should direct the DHS Chief Financial Officer to work with Congress to identify information to include in its annual congressional budget justifications to provide greater transparency into requested and actual service requirement costs, particularly for those services requiring heightened management attention. (Recommendation 6)

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation stating that its annual Congressional Budget Justification already contains substantial service contract information. We maintain, however, that the service contract information currently included limits visibility for both DHS and Congress into requested and actual service requirements costs.

Recommendation: The U.S. Committee on the Marine Transportation System should complete a government-wide assessment of the economic, environmental, and safety risks posed by gaps in maritime infrastructure in the U.S. Arctic to inform investment priorities and decisions. (Recommendation 1)

Agency: Department of Transportation: Committee on the Marine Transportation System
Status: Open

Comments: CMTS partially concurred with our recommendation but also noted several areas of disagreement with our conclusions, which we addressed directly in our report. For example, we note in our report that CMTS itself has previously noted the importance of evaluating risks on a government-wide basis, and that it previously proposed a model for determining risk that considered the likelihood of adverse events actually occurring, vulnerability to damage, and potential consequences. Given its previous work in the U.S. Arctic and its coordinating role with its member agencies, CMTS is well suited to conduct a government-wide assessment of the risks posed by gaps in maritime infrastructure in the U.S. Arctic. As such, we stand by our recommendation and will continue to report on steps taken by CMTS to address it.

Recommendation: The appropriate entities within the Executive Office of the President, including the Office of Science and Technology Policy should develop and publish a strategy for addressing U.S. Arctic maritime infrastructure that identifies goals and objectives, performance measures to monitor agencies' progress over time, and the appropriate responses to address risks. (Recommendation 2)

Agency: Executive Office of the President: Office of Science and Technology Policy
Status: Open

Comments: OSTP neither agreed nor disagreed with the report's recommendations. OSTP acknowledged the Arctic is of critical national importance and noted interagency coordination can be implemented through the entities of the National Science and Technology Council, which is located within OSTP. As we note in our report, without a strategy for addressing U.S. Arctic maritime infrastructure that identifies goals and objectives, performance measures to monitor agencies' progress over time, and the appropriate responses to address risks, agencies lack assurance that their actions are effectively targeting priority areas and decision makers cannot gauge the extent of progress in addressing maritime infrastructure gaps. As such, we stand by our recommendation and will continue to evaluate OSTP's efforts to fully address it.

Recommendation: The appropriate entities within the Executive Office of the President, including the Office of Science and Technology Policy should designate the interagency group responsible for leading and coordinating federal efforts to address maritime infrastructure in the U.S. Arctic that includes all relevant stakeholders. (Recommendation 3)

Agency: Executive Office of the President: Office of Science and Technology Policy
Status: Open

Comments: OSTP neither agreed nor disagreed with the report's recommendations. OSTP acknowledged the Arctic is of critical national importance and noted interagency coordination can be implemented through the entities of the National Science and Technology Council, which is located within OSTP. OSTP noted the need for, and role of additional federal coordination, such as the Arctic Executive Steering Committee, is under consideration by OSTP. We continue to believe that the appropriate entities within the Executive Office of the President, including OSTP, should designate the interagency group responsible for leading and coordinating federal efforts to address maritime infrastructure in the U.S. Arctic that includes all relevant stakeholders. As we note in our report, without an interagency collaboration mechanism designated to lead these efforts, it is unclear who has responsibility for whole-of-government efforts to address U.S. Arctic maritime infrastructure. We will continue to monitor OSTP's efforts to fully address our recommendation.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OCC should establish internal written policies to effectively implement and document the State Plan review and approval process for future review and approval periods. (Recommendation 1)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it has been working on establishing written policies (e.g., internal guidance documents and checklists) to implement and document the State Plan review and approval process. OCC expects to complete this work for the FY2022-2024 Plan period. We will continue to monitor OCC's efforts to implement this recommendation.

Recommendation: The Director of OCC should define the informational needs related to the results of program-integrity activities. (Recommendation 2)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us that it is developing the next CCDF State/Territory Plan Preprint due for submission by states and territories July 1, 2021. According to OCC, it plans to incorporate its information needs regarding the results of program integrity into the Preprint document as it develops the document. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should communicate externally to the states its informational needs related to the results of states' program-integrity activities. (Recommendation 3)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us that it is developing the next CCDF State/Territory Plan Preprint due for submission by states and territories July 1, 2021. According to OCC, it plans to communicate its information needs regarding the results of program integrity activities to states and territories as part of the Preprint Training activities - including webinars and peer-to-peer virtual meetings - so Lead Agencies understand what is expected for them to address in the CCDF Plan. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should communicate internally to staff its informational needs related to the results of states' program-integrity activities. (Recommendation 4)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us that it is developing the next CCDF State/Territory Plan Preprint due for submission by states and territories July 1, 2021. According to OCC, it plans to communicate its information needs regarding the results of program integrity activities to staff in both regional and central offices as part of the Preprint Training activities so staff understand what is expected for Lead Agencies to address in the CCDF Plan. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should develop documented criteria to guide the review of CAPs submitted by states to ensure that proposed corrective actions are aimed at root causes of improper payments and are effectively implemented. (Recommendation 5)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it revised the CAP Review Tool to in response to our recommendation. OCC also told us that it plans to implement the revised CAP Review Tool beginning September 2020 to document the review of CAPs submitted for the most recent ACF-404 reporting cycle (June 2020). We asked OCC to provide documentation showing the revised CAP Review Tool is responsive to our recommendation. We will update this recommendation status after reviewing the documentation OCC provides.

Recommendation: The Director of OCC should timely complete its effort to develop established written policies for the CAP follow-up process to ensure that OCC's oversight and monitoring of CAPs is carried out consistently. (Recommendation 6)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it developed draft written policies for the CAP follow-up process to ensure that OCC's oversight and monitoring of CAPs is carried out consistently. However, due to the impact of the COVID-19 on staffing capacity, OCC has not presented the draft policies to regional offices for feedback. OCC told us it plans to finalize the written policies for the CAP follow-up process by December 2020. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Director of OCC should develop and document criteria to assess the effectiveness of states' program-integrity control activities. (Recommendation 7)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it analyzed information gathered from federal and state resources to develop and document criteria to be used to assess the effectiveness of states' program integrity control activities. We asked OCC to provide us the document showing all criteria to be used to assess the effectiveness of states' program integrity control activities. We will update this recommendation status after reviewing the documentation OCC provides.

Recommendation: The Director of OCC should evaluate the feasibility of collecting information from the Grantee Internal Controls Self-Assessment Instrument (Self-Assessment Instrument) and Fraud Toolkit, such as during its Monitoring System process, to monitor the effectiveness of states' program-integrity control activities. (Recommendation 8)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of the Child Care Bureau
Status: Open

Comments: In September 2020, OCC told us it is working to make the Self-Assessment Instrument and Fraud Toolkit more user-friendly to encourage increased use within the state CCDF program. With increased usage, OCC believes it will be in a better position to assess how the collection of data from these two instruments can be incorporated into the Onsite Monitoring System or other oversight activity. OCC told us it anticipates completing work to implement this recommendation by December 2020. We will continue to monitor OCC's progress in implementing this recommendation.

Recommendation: The Assistant Secretary for ACF should ensure that ACF conducts a fraud risk assessment to provide a basis for the documentation and development of an antifraud strategy that describes the CCDF program's approach to address prioritizing fraud risks identified. (Recommendation 9)

Agency: Department of Health and Human Services: Administration for Children and Families
Status: Open

Comments: In September 2020, HHS told us it anticipates completing the initial fraud risk assessment for the CCDF program by December 2020. We will continue to monitor HHS's efforts to implement this recommendation.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to establish a plan that includes change management practices—such as strategies for feedback, communication, and education—to reinforce collaborative behaviors and enterprise-wide approaches and to help prevent early implementation challenges from becoming institutionalized. (Recommendation 1)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to clearly document guidance and methods for analyzing the data collected from the agencies, including ensuring that nonfederal resources and capabilities are accounted for in the analysis. (Recommendation 2)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to establish a resource plan to staff, support, and sustain its ongoing efforts. (Recommendation 3)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of HHS should direct the Biodefense Coordination Team to clearly document agreed upon processes, roles, and responsibilities for making and enforcing enterprise-wide decisions. (Recommendation 4)

Agency: Department of Health and Human Services: Office of the Secretary
Status: Open
Priority recommendation

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Agriculture should direct Departmental Administration to work with the mission areas to develop department-level outcome-oriented performance goals and related measures for the business centers, and use them to assess the effectiveness and impact of the business center reforms. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In January 2020, USDA officials agreed with our recommendation and stated that the department is evaluating options for the development of performance metrics and inclusion of these metrics and related information as part of the regular and recurring reviews by the department's Deputy Secretary who is identified as the Chief Operating Officer.

Recommendation: The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was in the process of revising its IT systems project planning to ensure the development and implementation of policies and procedure incorporating key cybersecurity activities. The agency also stated that it plans to hire an IT Security Project Manager in order to acquire the necessary cybersecurity expertise needed to implement this recommendation and to ensure that sufficient time and resources can be dedicated to the development and implementation of these policies and procedures. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing oversight procedures for each externally-operated system. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it had expanded the office's IT Director's role to formally include the functions of an IT Risk Executive and was in the process of establishing the roles and responsibilities. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing a cybersecurity risk management strategy. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that, once the position of IT Security Project Manager is filled and the IT Risk Executive functions are formalized, the agency is planning to commit to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. We will continue to monitor OCWR's progress in addressing this recommendation

Recommendation: The Commissioner of Internal Revenue should designate a dedicated entity to provide oversight of agency-wide efforts to detect, prevent, and resolve business IDT, consistent with leading practices. This may involve designating one business unit as a lead entity or leveraging cooperative relationships between business units to establish a business IDT leadership team. This entity should have defined responsibilities and authority for managing fraud risk. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In January 2020, IRS agreed to designate a dedicated entity to provide oversight of agency-wide business IDT efforts and stated that it will determine the appropriate oversight structure and scope of authority.

Recommendation: The Commissioner of Internal Revenue should develop a fraud risk profile for business IDT that aligns with leading practices. This should include (1) identifying inherent fraud risks of business IDT, (2) assessing the likelihood and impact of inherent fraud risks, (3) determining fraud risk tolerance, and (4) examining the suitability of existing fraud controls. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should develop, document, and implement a strategy for addressing fraud risks that will be identified in its fraud risk profile. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should ensure that IRS collects additional data on business IDT by identifying and implementing new fraud filters consistent with its fraud risk profile. This should include prioritizing IDT filters for tax forms determined to be most at risk based on an analysis of risk tolerances. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In January 2020, IRS agreed but did not provide details on the actions it plans to take to address the recommendation.

Recommendation: The Commissioner of Internal Revenue should identify and implement methods to address delays in resolving business IDT cases due to correspondence-based authentication. This could involve using different methods for taxpayer authentication based on the risk level of the return. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. In January 2020, IRS stated that it will complete an analysis of other authentication methods.

Recommendation: The Commissioner of Internal Revenue should establish customer service-oriented performance goals for resolving business IDT cases. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS neither agreed nor disagreed with our recommendation to establish customer service-oriented performance goals for resolving business identity theft cases. In January 2020, IRS stated that it will review its customer service-oriented performance goals and modify them, as warranted, to address the resolution of business identity theft cases. Doing so would meet the intent of our recommendation.

Recommendation: The OJJDP Administrator should set performance targets for individual grant programs. (Recommendation 1)

Agency: Department of Justice: Office of Juvenile Justice and Delinquency Prevention
Status: Open

Comments: In June 2020, DOJ reported that OJJDP is engaged in a comprehensive effort to improve performance measures. The final step of this process will be the development of performance targets. According to DOJ, OJJDP anticipates setting initial targets for its discretionary grant programs by October 2021 and for the Title II Formula Grant program by March 2023. We believe these actions, when effectively completed, will address our recommendation. We plan to provide an update on OJP's progress in late 2021.

Recommendation: The Assistant Attorney General for Administration should ensure that future department-level fraud risk profiles (1) determine the department's fraud risk tolerance for DOJ grants—which include OJJDP grant programs, and (2) prioritize residual fraud risks based on an assessment against that tolerance, consistent with leading practices in GAO's Fraud Risk Framework. (Recommendation 2)

Agency: Department of Justice: Office of the Assistant Attorney General for Administration
Status: Open

Comments: In June 2020, DOJ reported that it awarded a new contract in January 2020 that includes a requirement to continue conducting annual fraud risk assessments and update associated fraud risk profiles using the GAO Fraud Risk Framework. DOJ further reported that it will develop a fraud risk tolerance for DOJ grants and prioritize residual fraud risk against that tolerance when it conducts this assessment. We believe these actions, when effectively completed, will address our recommendation. We plan to follow-up with DOJ and provide an update in early 2021.

Recommendation: The Commissioner of CBP should ensure that the Office of Field Operations, in consultation with the Office of Trade, develops a plan for managing its increased workload. (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner
Status: Open

Comments: CBP concurred with this recommendation. According to CBP, the new ACE drawback module provides the capability to extract data for workload management. Further enhanced reporting capabilities for drawback claims are under development. CBP's Office of Field Operations and Office of Trade continue to collaborate on a plan to employ risk management principles and automation to resolve the drawback claims backlog and lay the foundation for processing current drawback claims workload. They estimate the completion of this workload management system by October 31, 2020.

Recommendation: The Commissioner of CBP should ensure that the Office of Trade assesses the feasibility of flagging excessive export submissions across multiple claims and takes cost-effective steps, based on the assessment, to prevent over claiming. (Recommendation 2)

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner
Status: Open

Comments: CBP concurred with this recommendation. According to CBP, the Office of Trade is exploring alternatives to track and automatically flag duplicate exports across multiple drawback claims. CBP expects to complete their assessment and plan for implementation by December 31, 2020.

Recommendation: The Commissioner of CBP should ensure that the Office of Trade develops a plan, with time frames, to establish a reliable system of record for proof of export. (Recommendation 3)

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner
Status: Open

Comments: CBP concurred with this recommendation. According to CBP, the Office of Trade will work to develop a plan for the use of the Automated Export System (and possibly other systems) for electronic proof of export in the future. They expect this to be complete by September 30, 2020.

Recommendation: The Commissioner of CBP should ensure that the Office of Trade turns the claim selection feature in ACE back on and finalizes and implements procedures to target claims for review that were accepted into ACE during the period in which the selection feature was disabled. (Recommendation 4)

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner
Status: Open

Comments: CBP concurred with our recommendation. According to CBP, the Office of Trade, in collaboration with the Office of Information Technology, will automate updates that turn the claim selection feature on in ACE. The Office of Trade plans to retroactively identify drawback claims accepted during the lapse period, and is working to implement a solution by December 31, 2020.

Recommendation: The Commissioner of CBP should ensure that the Office of Trade analyzes the results of its targeting of claims for review and designs responses to mitigate identified risks. (Recommendation 5)

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner
Status: Open

Comments: CBP concurred with this recommendation. According to CBP, on March 25, 2020, the Office of Trade initiated an analysis to improve automation and targeting on an ongoing basis. Based on the results of this analysis, the Office of Trade will make any needed adjustments to policy and procedures to assist with data quality, by September 30, 2020.

Recommendation: The Commissioner of CBP should ensure that the Office of Trade prioritizes developing a plan to conduct an ex post analysis of the impact on industry and government of key changes to the drawback program, including time frames and methodology. (Recommendation 6)

Agency: Department of Homeland Security: United States Customs and Border Protection: Office of the Commissioner
Status: Open

Comments: CBP concurs with this recommendation. According to CBP, the Office of Trade is finalizing a plan to conduct an ex post analysis of the impact on industry and government of key changes to the drawback program. CBP's analytical plan will include a timeline and methodology for assessing changes to the program. They expect to complete this by November 30, 2020.

Recommendation: The TSA Administrator should update TSA guidance for developing and approving screening technology explosives detection standards to reflect designated procedures, the roles and responsibilities of stakeholders, and changes in the agency's organizational structure. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should require and ensure that TSA officials document key decisions, including testing and analysis decisions, used to support the development and consideration of new screening technology explosives detection standards. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should require and ensure that TSA officials document their assessments of risk and the rationale—including the assumptions, methodology, and uncertainty considered—behind decisions to deploy screening technologies. (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should develop a process to ensure that screening technologies continue to meet detection requirements after deployment to commercial airports. (Recommendation 4)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should implement the process it develops to ensure that screening technologies continue to meet detection requirements after deployment to commercial airports. (Recommendation 5)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Assistant Secretary of the Army for Civil Works should direct the Chief of Engineers and the Commanding General of the U.S. Army Corps of Engineers to strengthen the Corps' internal review process for feasibility studies by including steps to ensure consistency with best practices for transparency, such as verifying that all of the important assumptions and limitations in models and their implications for the economic analysis are consistently, clearly, and fully described. (Recommendation 1)

Agency: Department of Defense: Department of the Army: Office of the Assistant Secretary (Civil Works)
Status: Open

Comments: In its letter dated January 14, 2020, the Department of Defense concurred with GAO's recommendation and provided a corrective action plan in response to the recommendation. According to the corrective action plan, the Corps estimates that guidance will be issued to ensure that Corps reports adequately describe and justify the models, analytical choices, assumptions, and data used such that it is consistent with best practices by December 31, 2020.

Recommendation: The Office of the Undersecretary of Defense (Comptroller) (OUSD[C]) should include an assessment of risks related to contractor ownership as part of its ongoing efforts to plan and conduct a department-wide fraud risk assessment. As part of this assessment, consistent with leading practices, DOD should involve relevant stakeholders with knowledge of emerging risks and use this information to help inform other types of risk assessments across the department, including for national security concerns. (Recommendation 1)

Agency: Department of Defense: Under Secretary of Defense (Comptroller)
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: Congress should consider establishing a federal organizational arrangement to periodically identify and prioritize climate resilience projects for federal investment. Such an arrangement could be designed for success by considering the six key steps for prioritizing climate resilience investments and the opportunities to increase the climate resilience impact of federal funding options identified in our report. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: As of July 2020, no action had been taken to establish a federal organizational arrangement to periodically identify and prioritize climate resilience projects for federal investment.

Recommendation: The Chairman of FCC should ensure that FCC's Office of Managing Director follows the leading practices in GAO's fraud risk framework related to a dedicated entity's management of its antifraud activities, such as serving as the repository of knowledge on fraud risks and coordinating antifraud initiatives. (Recommendation 1)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was undertaking further improvements of its fraud risk management program consistent with this recommendation. FCC did not indicate a completion date. We will continue to monitor FCC's progress related to establishing a dedicated antifraud management entity.

Recommendation: The Chairman of FCC should plan regular fraud-risk assessments tailored to the high-cost program and assess these risks to determine the program's fraud risk profile, as provided in GAO's fraud risk framework. (Recommendation 2)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was working with the Universal Service Administrative Company (USAC), which is the entity responsible for the day-to-day administration of the high-cost program, to implement this recommendation. FCC stated that USAC will conduct a fraud risk assessment of the high-cost program, but did not specify a time-frame for this effort. We will continue to review FCC and USAC's progress toward completing this assessment, and any steps taken to routinize this assessment.

Recommendation: The Chairman of FCC should design and implement an antifraud strategy for the high-cost program with specific control activities, based upon the results of fraud-risk assessments and a corresponding fraud risk profile, as provided in GAO's fraud risk framework. (Recommendation 3)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that the agency was working with the Universal Service Administrative Company (USAC), which is the entity responsible for the day-to-day administration of the high-cost program, to implement this recommendation. FCC reported it will ensure the results of the high-cost program's fraud risk assessment, along with other efforts to implement the GAO fraud risk framework, result in an overall fraud risk strategy. FCC did not indicate a completion date for these efforts, and we will continue to track FCC progress in this area.

Recommendation: The Chairman of FCC should assess the model-based support mechanism to determine the extent to which it produces reliable cost estimates. (Recommendation 4)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that it was considering ways to improve the model-based support mechanism for rate-of-return carriers participating in the high-cost program. FCC did not specify a time-frame for this effort. We will continue to review FCC's efforts related to this recommendation, including FCC efforts, if any, to verify the model's cost estimates.

Recommendation: The Chairman of FCC should consider whether to make use of the model-based support mechanism mandatory depending on the results of the assessment. (Recommendation 5)

Agency: Federal Communications Commission
Status: Open

Comments: As of April 2020, FCC reported that it was considering ways to improve the model-based support mechanism for rate-of-return carriers participating in the high-cost program. FCC indicated that any such improvements may help facilitate the transition of carriers from legacy support mechanisms to the model-based support mechanism. FCC did not provide a time-frame for completion of this effort. We will continue to monitor FCC's progress and efforts in regard to this recommendation.

Recommendation: The Director of the Office of Superfund Remediation and Technology Innovation should establish a schedule for standardizing and improving information on the boundaries of nonfederal NPL sites. (Recommendation 1)

Agency: Environmental Protection Agency
Status: Open

Comments: In its June 2020 response, EPA stated that it had convened a working group comprising of Superfund and regional officials to collect and disseminate geospatial information for all NPL sites to help EPA analyze, communicate, and respond to the impacts of natural disasters and weather. EPA has not, however, provided a schedule for completing this effort.

Recommendation: The Administrator of EPA should clarify how EPA's actions to manage risks to human health and the environment from the potential impacts of climate change effects at nonfederal NPL sites align with the agency's current goals and objectives. (Recommendation 2)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of June 2020, EPA has stated that it agrees with the recommendation but does not plan to take any action to respond to it because it believes its actions are aligned with agency goals and objectives. We continue to believe that clarifying this alignment to the agency's current goals and objectives is warranted.

Recommendation: The Director of the Office of Superfund Remediation and Technology Innovation should provide direction on how to integrate information on the potential impacts of climate change effects into risk assessments at nonfederal NPL sites. (Recommendation 3)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of June 2020, EPA stated that it will be issuing a memorandum that would provide direction on integrating information on the potential impacts of climate change effects into risk assessments at nonfederal NPL sites in the fourth quarter of fiscal year 2020. At that time, we will review the memorandum to determine if it is responsive to our recommendation.

Recommendation: The Director of the Office of Superfund Remediation and Technology Innovation should provide direction on how to integrate information on the potential impacts of climate change effects into risk response decisions at nonfederal NPL sites. (Recommendation 4)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: As of June 2020, EPA stated that it will be issuing a memorandum that would provide direction on integrating information on the potential impacts of climate change effects into risk response decisions at nonfederal NPL sites in the fourth quarter of fiscal year 2020. At that time, we will review the memorandum to determine if it is responsive to our recommendation.

Recommendation: The Director of USCIS should plan and conduct regular fraud risk assessments of the self-petition program to determine a fraud risk profile, as provided in GAO's Fraud Risk Framework. (Recommendation 1)

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of USCIS should develop and implement an antifraud strategy with specific control activities, based upon the results of fraud risk assessments and a corresponding fraud risk profile, as provided in GAO's Fraud Risk Framework. (Recommendation 2)

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of USCIS should develop and implement data analytics capabilities for the self-petition program, as a means to prevent and detect fraud, as provided in GAO's Fraud Risk Framework. (Recommendation 3)

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of BLM should develop a plan to conduct all required facility security assessments agency-wide, taking into consideration the agency's organizational structure, available resources, and training needs. (Recommendation 1)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: BLM agreed with our recommendation and stated it intends to revise its policy and develop a plan to complete required facility security assessments. As of November 2019, BLM had not yet completed its plan.

Recommendation: The Director of the Park Service should develop a plan to conduct all required facility security assessments agency-wide, taking into consideration the agency's organizational structure, available resources, and training needs. (Recommendation 3)

Agency: Department of the Interior: National Park Service
Status: Open

Comments: Park Service agreed with our recommendation and cited its efforts to develop a plan that includes training and tools so that park unit staff can conduct the required assessments. As of November 2019, Park Service had not yet completed its plan.

Recommendation: The Director of the Park Service should update the agency's facility security assessment methodology to comply with requirements in the ISC Standard, including a step to consider the consequence of each undesirable event. (Recommendation 4)

Agency: Department of the Interior: National Park Service
Status: Open

Comments: Park Service agreed with our recommendation to update its facility security assessment methodology to comply with requirements in the ISC Standard. As of November 2019, Park Service had not yet updated its methodology.

Recommendation: The Director of BLM should develop a facility security assessment methodology that complies with requirements in the ISC Standard to assess all undesirable events and consider all three factors of risk for each undesirable event. (Recommendation 5)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: BLM agreed with our recommendation and said it would revise its policy and develop a facility security assessment methodology that complies with requirements in the ISC Standard. As of November 2019, BLM had not yet developed its methodology.

Recommendation: The Director of FWS should develop a facility security assessment methodology that complies with requirements in the ISC Standard to assess all undesirable events and consider all three factors of risk for each undesirable event. (Recommendation 6)

Agency: Department of the Interior: United States Fish and Wildlife Service
Status: Open

Comments: FWS agreed with our recommendation and cited its efforts to develop a facility security assessment methodology that complies with requirements in the ISC Standard. As of November 2019, FWS had not yet developed its methodology.

Recommendation: The Commandant of the Coast Guard should ensure that the Deputy Commandant for Mission Support implements risk management processes that more fully align with the five key steps outlined in DHS's Critical Infrastructure Risk Management Framework to better guide agency shore infrastructure investment decisions. This should include (1) setting goals and objectives, (2) identifying critical infrastructure, (3) assessing and analyzing risks and costs, (4) implementing risk management activities, and (5) measuring the effectiveness of actions taken. (Recommendation 1)

Agency: Department of Homeland Security: United States Coast Guard
Status: Open

Comments: The Coast Guard concurred with the spirit of GAO's recommendation to formalize its shore infrastructure risk management processes. As noted in their formal comment, the Coast Guard was mandated by the DHS Under Secretary for Management to follow risk management guidance outlined in the DHS Resilience Framework in March 2018. The Coast Guard reported that progress towards implementing GAO's recommendation is expected to be concurrent with the development and implementation of the Component Resilience Plan in accordance with the DHS Resilience Framework. According to the Coast Guard, the DHS-mandated Component Resilience Plan assigns a mission criticality level and resilience factor to each shore facility based on a criticality assessment, inter-dependencies between mission essential assets and functions, and risk. It will then align its current resilience factor formulation to that defined through the process in the DHS Resilience Framework. Risks identified through the Framework will be managed through a strategic combination of risk acceptance, mitigation, engineering, and operational controls. The Coast Guard stated that it intends to complete these multiple efforts by the end of 2021. In a March 2020 update, the Coast Guard stated that its Office of Civil Engineering was developing the Work Plan, newly named the 2020 Civil Engineering Program Work Plan: Initiatives and Tactics and said it would include goals and objectives for identifying and addressing infrastructure resilience gaps and resource needs in alignment with the Coast Guard's Component Resilience Plan. The Coast Guard expected to publish this Civil Engineering Work Plan by July 31, 2020, after which it said it would begin implementing and measuring the effectiveness of the actions identified in the Work Plan. In June 2020, the Coast Guard reported that it now anticipates finalizing the Civil Engineering Work Plan by September 30, 2020.

Recommendation: The Director of OHS should perform a fraud risk assessment for the Head Start program, to include assessing the likelihood and impact of fraud risks it faces. (Recommendation 1)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open
Priority recommendation

Comments: In February 2020, HHS told us that the Administration for Children and Families (ACF) is developing a Fraud Risk Assessment template for all of its programs (including the Office of Head Start) and is on track to complete the initial Fraud Risk Assessment for its pilot program by June 30, 2020. Upon completion of the Fraud Risk Assessment for the ACF pilot program, ACF anticipates completing its initial Fraud Risk Assessment for OHS, by March 31, 2021. We will assess these actions once completed.

Recommendation: The Director of OHS should establish procedures to monitor and evaluate OHS's new internal workflows for monitoring reviews, to include establishing a baseline to measure the effect of these workflows and identify and address any problems impeding the effective implementation of new workflows to ensure timeliness goals for monitoring reviews are met. (Recommendation 3)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open

Comments: HHS did not concur with this recommendation. In February 2020, HHS stated that OHS regularly evaluates its effectiveness of its workflows to determine how to best adjust the system to support effective follow-up. HHS also stated that, for Fiscal Year 2020, OHS has updated its internal workflow timelines to increase responsiveness to identified findings and ensure grantee support. We will continue to monitor HHS's efforts in this area.

Recommendation: The Director of OHS should provide program-wide guidance on when a student's slot should be considered vacant due to absenteeism. (Recommendation 5)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open

Comments: In February 2020, OHS told us that it is finalizing program guidance that will address when a child's slot should be considered vacant due to absenteeism and what a program should do fill it. OHS stated that it anticipates having a final paper published by summer, 2020. We will continue to monitor OHS's efforts in this area.

Recommendation: The Director of OHS should develop and implement a method for grantees to document attendance and services under EHS pregnancy programs. (Recommendation 6)

Agency: Department of Health and Human Services: Administration for Children and Families: Office of Head Start
Status: Open

Comments: In February 2020, OHS told us that it is developing a toolkit of resources specifically designed to offer best practice tips for Early Head Start programs on how to track attendance and services to pregnant women. OHS is surveying the Head Start community to better determine what resources are already available and how programs in different regions and cities track services to pregnant women. OHS anticipates a rollout for the toolkit by summer, 2020.

Recommendation: The Runway Safety Manager should develop a process to identify and remove duplicate excursion records. (Recommendation 1)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: As of December 2019, FAA concurred with this recommendation. FAA noted that it will include actions to identify and remove duplicate excursion records in its Runway Safety Evolution Plan, which is scheduled to be completed by September 30, 2020. We will review the Runway Safety Evolution Plan when it is available.

Recommendation: The Runway Safety Manager should take steps to analyze data on ramp area incidents in FAA's new surface safety metric. (Recommendation 2)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: As of December 2019, FAA concurred with this recommendation. FAA noted that it will identify actions to implement this recommendation in its Runway Safety Evolution Plan, which is scheduled to be completed by September 30, 2020. We will review the Runway Safety Evolution Plan when it is available.

Recommendation: The Runway Safety Manager should establish a plan to assess the effectiveness of all of FAA's terminal area-safety efforts, including Airport Surface Detection Equipment, Model X (ASDE-X) and the Runway Safety Program. (Recommendation 3)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open
Priority recommendation

Comments: As of December 2019, FAA has concurred with the recommendation, but needs to take additional steps to address the recommendation. FAA noted that it would identify actions to assess the effectiveness of all of its terminal-area safety efforts in a Runway Safety Evolution Plan, which the agency expects to complete by September 30, 2020. We will review the Runway Safety Evolution Plan when it is available.

Recommendation: The Administrator of FAA should require Flight Standards to share the results of its investigations with the Runway Safety Group, in a timely manner. (Recommendation 4)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: As of December 2019, FAA concurred with this recommendation. FAA noted that it will include an initiative in its 2020 Aviation Safety Business Plan Goal to make information from Flight Standards more accessible to the Runway Safety Group. FAA said the 2020 Aviation Safety Business Plan Goal is scheduled to be completed by September 3, 2020. We will review the Aviation Safety Business Plan Goal when it is available.

Recommendation: The Administrator of FAA should require air traffic control managers to share information on terminal area incidents, such as operational incidents and pilot deviations, with airport operators, in a timely manner. (Recommendation 5)

Agency: Department of Transportation: Federal Aviation Administration
Status: Open

Comments: As of December 2019, FAA concurred with this recommendation. FAA noted that it will identify actions to implement this recommendation in its Runway Safety Evolution Plan, which is scheduled to be completed by September 30, 2020. We will review the Runway Safety Evolution Plan when it is available.

Recommendation: The Director of OMB should expand its coordination of CyberStat review meetings for those agencies with a demonstrated need for assistance in implementing information security. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: In January 2020, OMB officials stated that they have incorporated agency feedback for enhancing the CyberStat program into an updated concept of operations document that is currently in draft. To consider this recommendation fully implemented, OMB needs to provide us with an updated concept of operations document for the CyberStat program, and demonstrate the expansion of CyberStat review meetings to agencies that require additional assistance due to persistent information security deficiencies. As of September 2020, OMB has not provided sufficient evidence to close this recommendation.

Recommendation: The Director of OMB should collaborate with CIGIE to ensure that the inspector general reporting metrics include the FISMA-required information security program element for system security plans. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of September 2020, we were still waiting to receive OMB's 180-day letter detailing the actions it plans to take to address the recommendation.

Recommendation: The Director of OMB should, in coordination with the Secretary of Homeland Security, establish guidance or other means to facilitate the sharing of successful approaches for agencies to address challenges in the areas of (1) managing competing priorities between cybersecurity and operations, such as when operational needs appear to conflict with cybersecurity requirements; (2) implementing consistent cybersecurity risk management policies and procedures across an agency; (3) incorporating cyber risks into enterprise risk management, and (4) establishing agencies' cybersecurity risk management strategies. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget did not say whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once OMB has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 2)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan, which is to include a comprehensive Cybersecurity Strategy. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should update the department's policies to require (1) the use of risk assessments to inform security control tailoring and (2) the use of risk assessments to inform plan of actions and milestones (POA&M) prioritization. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it is developing a Risk Management Framework implementation plan which will include updates to USDA's process guide to ensure informed security control tailoring and updates to USDA's Plan of Actions and Milestones (POA&M) Standard Operation Procedure to inform prioritized POA&M mitigation strategies, through a consistent and repeatable security risk assessment process. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Agriculture should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 4)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: The Department of Agriculture did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that it plans to establish a governance framework for USDA Enterprise Risk Management (ERM), which will provide a platform to increase coordination between stakeholders within the cybersecurity and enterprise risk management functions. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to planned actions for this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Commerce should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 6)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: The Department of Commerce did not state whether or not it concurred with this recommendation. As of February 2020, the department stated that its intends to evaluate whether there are any gaps in its cybersecurity policy pertaining to the establishment of an organization-wide cybersecurity risk assessment and will establish a plan to fill in gaps as necessary. The department added that it is making strides in the implementation of a tool that can aggregate data into a dashboard for a unified visibility across the department. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Energy should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 8)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy concurred with this recommendation. As of January 2020, the department stated that it was developing a department-wide risk management plan, to include a risk management strategy, and this would be completed by May 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 10)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo that will detail its risk management strategy, including how the department will assess, respond to, and monitor risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should update the department's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform security control tailoring. (Recommendation 11)

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services partially concurred with this recommendation. As of January 2020, HHS stated that it is in the process of updating its policies to address the missing elements and plans to finalize the revisions by March 2021. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Health and Human Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 12)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: The Department of Health and Human Services concurred with this recommendation. As of January 2020, HHS stated that it is drafting a cybersecurity risk management memo and capability model that will include a process for an organization-wide assessment of cybersecurity risk. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 14)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that it was in the process of developing an enterprise-wide Cybersecurity Risk Management Strategy that will define cybersecurity risk tolerance thresholds and promote inclusion of cybersecurity risk management into the Department's overall risk management capabilities. The estimated completion date for this effort is July 31, 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Homeland Security should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 15)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: The Department of Homeland Security concurred with this recommendation. As of January 2020, the department stated that, once developed, its Cybersecurity Risk Management Strategy will incorporate clarifications of the cybersecurity risk executive's role and will be coordinated with the DHS Office of the Chief Financial Officer, other offices within the DHS Management Directorate, and Department Components, as appropriate. The department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Housing and Urban Developing should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 16)

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: The Department of Housing and Urban Development concurred with this recommendation. As of January 2020, the department said it planned to develop a cybersecurity risk management strategy that will determine how cybersecurity risks will be identified, framed, assessed, respond to, and monitored. The Department estimated completing this effort by August 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Interior should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 20)

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: The Department of the Interior concurred with this recommendation. As of January 2020, the department stated that it cybersecurity and enterprise risk management teams would establish a process for bi-directional communication and status reporting. The Department estimated completing this effort by July 31, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 21)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether it concurred with this recommendation. As of January 2020, . the department reported that it had an integrated strategy for identifying, prioritizing, assessing, responding to, monitoring, and reporting on cybersecurity risks. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Attorney General should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 22)

Agency: Department of Justice
Status: Open
Priority recommendation

Comments: In its comments on our draft report, the Department of Justice did not state whether or not it concurred with this recommendation. As of January 2020, the department stated that it is developing an ongoing mechanism to institutionalize coordination between its cybersecurity and ERM functions in fiscal year 2020. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Labor should update the department's policies to require (1) the use of risk assessments to inform control tailoring and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 23)

Agency: Department of Labor
Status: Open

Comments: The Department of Labor concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department states that it has taken action, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should update the department's policies to require (1) an organization-wide risk assessment, (2) an organization-wide strategy for monitoring control effectiveness, (3) system-level risk assessments, (4) the use of risk assessments to inform security control tailoring, and (5) the use of risk assessments to inform POA&M prioritization. (Recommendation 24)

Agency: Department of State
Status: Open

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of State should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 25)

Agency: Department of State
Status: Open
Priority recommendation

Comments: The Department of State concurred with this recommendation. As of January 2020, the department stated that it is actively working to update the applicable policies and procedures. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 26)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update its cybersecurity risk management strategy to include the identified missing elements. The Department estimated completing this effort by October 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Transportation should update the department's policies to require an organization-wide risk assessment. (Recommendation 27)

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation concurred with this recommendation. As of January 2020, the department stated that it would update it policies and procedures to require an organization-wide cybersecurity risk assessment. The Department estimated completing this effort by July 1, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 29)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 30)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of the Treasury should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 31)

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the department has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 32)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, the department stated that it plans to develop a comprehensive risk management strategy in accordance with its updated cybersecurity program directive and plans to finalize the strategy by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should update the department's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 33)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to incorporate this requirement into its updated policies by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 34)

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA stated that it plans to fully document its process for an organization-wide cybersecurity risk assessment by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Secretary of Veterans Affairs should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 35)

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs concurred with this recommendation. As of January 2020, VA described efforts under way to institutionalize coordination between cybersecurity and enterprise risk management functions and stated that this coordination will be documented in detail by June 30, 2020. Once the department has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should fully develop a cybersecurity risk management strategy that includes the key elements identified in this report. (Recommendation 38)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that its strategic plans are under review beginning in the fourth quarter of fiscal year 2020. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should update the agency's policies to require an organization-wide cybersecurity risk assessment. (Recommendation 39)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, EPA stated that it is establishing a process to review, update, and reissue its policies. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 40)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of EPA should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 41)

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency did not state whether or not it concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the agency has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of General Services should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 44)

Agency: General Services Administration
Status: Open
Priority recommendation

Comments: The General Services Administration concurred with this recommendation. As of January 2020, the agency stated that it would establish a process for conducting an organization-wide cybersecurity risk assessment. The administration estimated completing this effort by June 30, 2020. Once the administration has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of the National Aeronautics and Space Administration (NASA) should update the agency's policies to require (1) an organization-wide risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 46)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of January 2020, the agency stated that it is working to address gaps in its cybersecurity policy. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of NASA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 47)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA concurred with this recommendation. As of January 2020, NASA stated that the agency is in the process of documenting its process for conducting an organization-wide cybersecurity risk assessment. NASA's planned completion date for this effort is September 30, 2020. Once NASA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization. (Recommendation 50)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided information, we plan to verify whether implementation has occurred.

Recommendation: The Chairman of NRC should establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 52)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC concurred with this recommendation. As of January 2020, we had not received information pertaining to this recommendation. Once the commission has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of the Office of Personnel Management (OPM) should update the agency's policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform control tailoring. (Recommendation 53)

Agency: Office of Personnel Management
Status: Open

Comments: OPM concurred with this recommendation. As of January 2020, OPM stated that it planned to update its policies to address the missing elements. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Director of OPM should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 54)

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM concurred with this recommendation. As of January 2020, the office stated that it planned to formalize its process for an organization-wide cybersecurity assessment. Once OPM has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Administrator of SBA should establish a process for conducting an organization-wide cybersecurity risk assessment. (Recommendation 57)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: SBA concurred with this recommendation. As of January 2020, SBA stated that it intends to finalize its process for an agency-wide cybersecurity risk assessment by March 31, 2020. Once SBA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The Commissioner of the Social Security Administration should fully establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions. (Recommendation 58)

Agency: Social Security Administration
Status: Open
Priority recommendation

Comments: SSA concurred with this recommendation. As of January 2020, SSA stated that it has initiated a formal process for coordination between its cybersecurity risk management and enterprise risk management teams and that this process should be fully established by the third quarter of FY 2020. Once SSA has provided evidence of these actions, we plan to verify whether implementation has occurred.

Recommendation: The FTA administrator should ensure that FTA's cost estimating information for project sponsors is consistent with all 12 steps found in GAO's Cost Estimating and Assessment Guide and needed for developing reliable cost estimates. [Recommendation 1]

Agency: Department of Transportation: Federal Transit Administration
Status: Open

Comments: As of March 2020, FTA had posted GAO's Cost Estimating and Assessment Guide to its website. However, FTA has yet to update its cost estimating information, which does not align with GAO's best practices in five areas: (1) risk and uncertainty analysis; (2) sensitivity analysis; (3) identifying ground rules and assumptions; (4) obtaining the data; and (5) presenting cost estimates to management. GAO continues to believe that because FTA's cost estimating information does not align with all 12 steps found in GAO's Cost Estimating and Assessment Guide, FTA lacks reasonable assurance that sponsors have developed and communicated high-quality cost estimates. We will continue to monitor FTA's actions.

Recommendation: The FTA Administrator should provide a central, easily accessible source with all of FTA's cost estimating information to help project sponsors improve the reliability of their cost estimates. [Recommendation 2]

Agency: Department of Transportation: Federal Transit Administration
Status: Open

Comments: As of March 2020, FTA had developed a webpage with some cost estimating information for project sponsors. However, the website did not include key information for project sponsors which FTA had previously provided to GAO for its analysis of cost estimating information. We continue to believe that providing a centralized location to share existing FTA documentation with sponsors, and ensuring that the documentation incorporates best practices from GAO's Cost Estimating and Assessment Guide, such as sensitivity analyses, could improve the reliability of sponsors' cost estimates and could reduce the risk of cost overruns for Capital Investment Grant (CIG) New Starts applicants and grantees. We will continue to monitor FTA's actions to address this recommendation.

Recommendation: The Assistant Secretary of State for Consular Affairs should provide additional training or related resources to consular officers and locally employed staff on adjudicating E-2 visas, to cover topics that include the E-2 eligibility requirements and understanding business- and tax-related documents. (Recommendation 1)

Agency: Department of State
Status: Open

Comments: Department of State officials stated in January 2020 that the department plans to address this recommendation by increasing the frequency and specificity of E-2 content through webinars, workshops, and cables. The Department of State also plans to develop subject matter experts on business and tax related documents that can provide consultative services on an as-needed basis. As of July 2020, Department of State officials said that they had not yet implemented these actions. We will continue to monitor the status of this recommendation.

Recommendation: The Assistant Secretary of State for Consular Affairs should develop minimum standards for E-2 company registration programs, such as standards for how often companies are to be re-vetted. (Recommendation 2)

Agency: Department of State
Status: Open

Comments: Department of State officials stated in January 2020 that the department plans to address this recommendation by incorporating into policy a 5-year mandatory review of companies registered at any post using a company registration program. As of July 2020, Department of State officials said that they had not yet implemented these actions. We will continue to monitor the status of this recommendation.

Recommendation: The Assistant Secretary of State for Consular Affairs should develop and implement a process to ensure that posts maintain required E-2 visa application documentation. (Recommendation 3)

Agency: Department of State
Status: Open

Comments: Department of State officials stated in January 2020 that the department plans to communicate a reminder to posts abroad that there is a requirement to scan required E-2 documentation into each visa applicant's record. Department of State also plans to provide regular policy guidance to consular managers at posts that adjudicate E-2 visa applications. Further, Department of State officials stated in July 2020 that the department plans to incorporate the supplemental E-2 visa application (DS-156E) into the standard online application for all nonimmigrant visa applicants (DS-160). However, the officials stated that they experienced technical challenges in doing so, and was still working to resolve the challenges as of July 2020. We will continue to monitor the status of this recommendation as the Department of State works to address the technical challenges.

Recommendation: The Director of OMB, after consulting with key stakeholders (e.g., the Chief Financial Officers Council), should develop a strategy for ensuring that agencies communicate sufficient and timely internal control plans for effective oversight of disaster relief funds. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open
Priority recommendation

Comments: The Office of Management and Budget (OMB) disagreed with our recommendation. In the agency's comment section of the GAO report, OMB staff stated that OMB did not believe the sufficiency or timeliness of control plans present material issues that warranted OMB action. While OMB acknowledged that almost all agency control plans were submitted after the statutory deadline, OMB staff stated that this delay in itself neither indicated the absence of controls nor the effectiveness of those controls. Further, OMB staff stated that it is agency management and not OMB that has responsibility for ensuring compliance with applicable laws and regulations. While agencies were responsible for submitting their internal control plans, federal law placed the responsibility of establishing the criteria for the internal control plans with OMB. Therefore, we believe that our recommendation is warranted. In January 2020, OMB informed us that there are no additional updates at this time regarding status, actions, or timelines to develop a strategy. We will continue to monitor agency's actions to address this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau develops and obtains management approval of mitigation and contingency plans for all risks that require them. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: As of May 2020, the Bureau's program risk registers included a clear indication of the status of mitigation plans; however, the Bureau's portfolio risk register did not, without which there was not a clear indication of which portfolio risk mitigation plans had been approved by management. As of August 2020, the Bureau's portfolio risk register also included a clear indication of mitigation plan status. At that time, we reviewed the Bureau's program and portfolio risk registers to determine whether the Bureau had developed and obtained management approval of mitigation and contingency plans for all risks that required them. We found six risks that met the Bureau's requirements for a contingency plan but did not have an approved contingency plan in place. We notified the Bureau and asked them to ensure that approved mitigation and contingency plans were in place for all risks that required them. We will continue to monitor the Bureau's actions to implement this recommendation.

Recommendation: The Secretary of Commerce should ensure that the Director of the Census Bureau updates the Bureau's decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk. (Recommendation 4)

Agency: Department of Commerce
Status: Open

Comments: In July 2020, the Bureau updated its decennial risk management plan and, in doing so, implemented this recommendation for six of the seven key attributes we identified. The missing attribute was monitoring plans: a description in each mitigation and contingency plan of how the agency will monitor the risk response-with performance measures and milestones, where appropriate-to help track whether the plan is working as intended. According to Bureau officials, rather than requiring this attribute, they instead noted it as a lesson learned for the 2030 Census and documented it in their knowledge management tool. In August 2020, we requested documentation of these actions. Once received, we will assess whether these actions suffice to close the recommendation.

Recommendation: The Director of the Division of Risk Management Supervision of FDIC should take steps to improve the completeness of matters requiring board attention (MRBA) data in its tracking system, in particular, by developing a structure that allows examiners to record MRBAs at progressively more granular levels (from a broad level such as examination area to more specific levels, including risk or concern type). (Recommendation 3)

Agency: Federal Deposit Insurance Corporation
Status: Open

Comments: FDIC agreed that a structure should be enhanced to allow staff to further categories MRBAs at the point of entry into the system. As of March 2020, no action has been taken on this recommendation. GAO will continue to monitor for any updates to FDIC procedures.

Recommendation: The Secretary of Commerce should direct the Director of the Census Bureau to direct the Census Bureau's Chief Information Officer (CIO) to take steps to ensure that identified corrective actions for cybersecurity weaknesses are implemented within prescribed time frames. (Recommendation 1)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce agreed with our recommendation. It provided an action plan in August 2019. We will review the Bureau's progress in addressing this recommendation as part of our ongoing work on the 2020 Census.

Recommendation: The Secretary of Commerce should direct the Director of the Census Bureau to direct the Bureau's CIO to implement a formal process for tracking and executing appropriate corrective actions to remediate cybersecurity weaknesses identified by DHS, and expeditiously address the identified deficiencies. (Recommendation 2)

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce agreed with our recommendation. In August 2019, the Bureau stated that it is developing a process for tracking and executing corrective actions identified by governing bodies and external entities. We will review the Bureau's progress in addressing this recommendation as part of our ongoing work on the 2020 Census.

Recommendation: The FEMA Administrator should ensure that the GMM program management office finalizes the organizational change management plan and time frames for implementing change management actions. (Recommendation 1)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office updates the program schedule to address the leading practices for a reliable schedule identified in this report. (Recommendation 4)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA Office of the Chief Information Officer (OCIO) defines sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the FEMA OCIO approves a security assessment plan before security assessment reviews are conducted. (Recommendation 6)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office follows DHS guidance on preparing corrective action plans for all security vulnerabilities. (Recommendation 7)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The FEMA Administrator should ensure that the GMM program management office fully tests all of its security controls for the system. (Recommendation 8)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency
Status: Open

Comments: DHS concurred with this recommendation. We will continue to monitor the department's efforts to implement it.

Recommendation: The Administrator of TSA should assess Security Operations guidance for applying root causes for test failures, and identify opportunities to clarify how they should be applied. (Recommendation 4)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it. In March 2020, TSA officials reported that they are developing new guidance to help testers identify and record root causes for covert test failures. Once TSA completes this guidance and GAO has been provided a copy for review, we will close this recommendation.

Recommendation: Congress should consider requiring Ginnie Mae to evaluate the adequacy of its current guaranty fee for single-family mortgage-backed securities and report to Congress with recommendations, if any, on revising the fee, such as by adopting standards under which the fee should be determined. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: As of September 2020, Congress had not enacted legislation to require Ginnie Mae to evaluate the adequacy of its current guaranty fee for single-family mortgage-backed securities and report to Congress with recommendations.

Recommendation: Congress should consider requiring Ginnie Mae to evaluate its reliance on contractors and report to Congress on how it would use fee revenue available to hire contractors to also hire in-house staff. (Matter for Consideration 2)

Agency: Congress
Status: Open

Comments: As of September 2020, Congress had not enacted legislation to require Ginnie Mae to evaluate its reliance on contractors and report to Congress on its findings.

Recommendation: Congress should consider requiring Ginnie Mae to provide a report on how it would use greater flexibility or broader authority to set the compensation of its in-house staff. (Matter for Consideration 3)

Agency: Congress
Status: Open

Comments: As of September 2020, Congress has not enacted legislation to require Ginnie Mae to report on how it would use greater flexibility or broader authority to set the compensation of its in-house staff.

Recommendation: Congress should consider reforms to Ginnie Mae's oversight structure that can help address its increasing risks. (Matter for Consideration 4)

Agency: Congress
Status: Open

Comments: As of September 2020, Congress has not enacted legislation that considers reforms to Ginnie Mae's oversight structure that can help address its increasing risks.

Recommendation: The Chief Risk Officer of Ginnie Mae should periodically conduct an actuarial or similar analysis that includes a stress test to evaluate the extent to which the current level of the guaranty fee for single-family MBS provides Ginnie Mae with sufficient reserves to cover potential losses under different economic scenarios. (Recommendation 1)

Agency: Department of Housing and Urban Development: Government National Mortgage Association (Ginnie Mae)
Status: Open
Priority recommendation

Comments: Ginnie Mae (HUD) agreed with this recommendation. As of September 2020, Ginnie Mae took steps to address this recommendation. First, according to its 2020 budget justification, Ginnie Mae has concluded that it would be advantageous to have the authority to administratively adjust its guarantee fee and requested that the permissible guarantee fee be established within a range. Upon receipt of this authority, Ginnie Mae would then establish an administrative process through which an adjustment could be made. Second, Ginnie Mae has developed a stress test framework and solicited public comment. According to officials, by early 2021, Ginnie Mae plans to have its contractor develop an economic model to explore the current level of the guaranty fee under different economic scenarios including variations in issuer types and across Ginnie Mae programs. To fully implement this recommendation, Ginnie Mae needs to follow through on this effort and provide additional detail on changes to the existing models and its plan to periodically conduct this analysis. We will continue to monitor Ginnie Mae's progress in implementing our recommendation.

Recommendation: The Senior Vice President of Ginnie Mae's Office of Management Operations should analyze the costs of using contractors for its operations and develop a plan to determine the optimal mix of contractor or in-house staff for operations. (Recommendation 2)

Agency: Department of Housing and Urban Development: Government National Mortgage Association (Ginnie Mae)
Status: Open
Priority recommendation

Comments: Ginnie Mae (HUD) agreed with this recommendation. As of September 2020, Ginnie Mae said it procured a contractor to do this analysis on their behalf at the end of fiscal year 2020. Officials expected the cost analysis to commence in early 2021. To fully implement this recommendation, Ginnie Mae should ensure the analysis and plan are completed. We will continue to monitor Ginnie Mae's progress in implementing our recommendation.

Recommendation: The Senior Vice President of Ginnie Mae's Office of Management Operations should assess its contract administration options to determine the most efficient and effective use of funds. (Recommendation 3)

Agency: Department of Housing and Urban Development: Government National Mortgage Association (Ginnie Mae)
Status: Open
Priority recommendation

Comments: Ginnie Mae (HUD) agreed with this recommendation. As of October 2020, Ginnie Mae stated it assesses procurement approaches on a per contract basis on whether to administer a contract within HUD or outsource the contract administration. However, GAO recommends Ginnie Mae comprehensively evaluate whether the outsourcing of its contract administration has met its intended purposes and is the most efficient and effective use of funds. In order to implement this recommendation, Ginnie Mae should reevaluate its decision to use an external provider.

Recommendation: The Chief Financial Officer of Ginnie Mae and Senior Vice President of Ginnie Mae's Office of Management Operations should finalize efforts to assess the costs and benefits of options to revise its compensation structure within current authority and submit proposals, if warranted, to HUD for review and consideration. (Recommendation 4)

Agency: Department of Housing and Urban Development: Government National Mortgage Association (Ginnie Mae)
Status: Open
Priority recommendation

Comments: Ginnie Mae (HUD) agreed with this recommendation. As of September 2020, Ginnie Mae has taken steps to assess options to revise its compensation structure. More specifically, according to Ginnie Mae, in the development of its fiscal year 2020 budget request, Ginnie requested authority to develop alternative pay options, such as premium pay, pay bands and critical pay. In August 2020, Ginnie Mae was given authority to proceed with implementing critical pay by the Office of Personnel Management. Critical Pay authority permits an agency to set a higher rate of basic pay than would otherwise be payable for a position that requires expertise of an extremely high level in a scientific, technical, professional, or administrative field and is critical to the successful accomplishment of an important mission. As of September 2020, Ginnie Mae is working with HUD on developing an implementation plan to implement critical pay within its Office of Enterprise Risk. In addition, Ginne Mae is working with OMB to ensure program execution and outcomes are aligned between the agencies. We will continue to monitor Ginnie Mae's progress in implementing our recommendation.

Recommendation: The Commissioner of Internal Revenue should finalize the PDC program objectives so that they are clearly defined in consistent terms, and assure that the key program risks, measures, and targets are linked with the objectives. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS partially agreed with recommendation. IRS said it would use consistent terms in developing measures that link to its PDC program objectives, but did not agree that program objectives are necessarily framed in terms of program risks. In December 2019, IRS provided new objectives linked with proposed measures to assess collection agencies. In February 2020, IRS said it intends to award new contracts in 2021 that will include performance measures linked to program objectives. To fully address GAO's recommendation, IRS also needs to identify targets for measures linked to program objectives.

Recommendation: The Commissioner of Internal Revenue should include the Department of the Treasury Inspector General for Tax Administration (TIGTA) costs in IRS's reporting of PDC program costs. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation. In October 2019 IRS said that including TIGTA costs in reporting program costs would be inconsistent with legislative requirements that define program costs as IRS's costs and with IRS cost-accounting practices. However, we maintain that the FAST Act set minimum reporting requirements to which IRS can add more information. Also, the existing cost accounting standards and practices to which IRS refers govern IRS's accounting for and reporting of costs incurred by IRS, not to fuller reporting of the PDC program's costs to the federal government. We will continue to pursue this recommendation and update its status in response to any changes.

Recommendation: The Commissioner of Internal Revenue should report the amount of collected revenue sent to the general fund of the Treasury and amounts retained by IRS to pay its costs. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with our recommendation and in October 2019 said it plans to report PDC revenue amounts going to the Treasury and to IRS's retained funds by February 2020. As of March 2020, we had not received documentation from IRS to demonstrate it had done so.

Recommendation: The Commissioner of Internal Revenue should analyze PDC program results to identify the types of cases that are not potentially collectible and should not be assigned to collection agencies. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation and said such analysis is unnecessary due to a legal requirement to assign all such cases to collection agencies and because there is very little cost in doing so. Our report noted that IRS has the authority and responsibility for efficient program operations to not assign uncollectible debt cases. In February 2020, IRS said that the assignment and recall of cases add nothing to the cost. We disagree, noting that IRS has not supported this assertion. IRS incurred some portion of its PDC costs from assigning and recalling cases that collected no revenue. Even if these costs are minor, they would be greater than the amount collected. We maintain the importance of this recommendation because IRS has incurred tens of millions of dollars in costs with little or no revenue collected for most of the PDC cases that IRS has closed.

Recommendation: The Commissioner of Internal Revenue should analyze PDC program results and the cases not assigned to the PDC program to identify the types of inactive cases IRS will not pursue that could be assigned to collection agencies to improve PDC program results. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed and noted that it already had the recommended analyses built into the PDC case identification process. IRS also provided documentation to GAO in December 2019 and its comments in February 2020 repeated its view that its process already identified other inactive cases that have not been assigned to PDC. IRS's documentation during the review and provided in December did not show how IRS analyzes its debt inventory and PDC results to identify inactive cases that are not being assigned to PDC but may be worth pursuing.

Recommendation: The Commissioner of Internal Revenue should clearly document and distinguish the complete list of identified risks to taxpayers in the PDC program risk register, and align the risks with PDC program objectives. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. We will update the status after completing review of documentation IRS provided in December 2019, on actions taken to implement the recommendation. IRS actions included a risk register with related information on the analyses and response to the listed risks.

Recommendation: The Commissioner of Internal Revenue should clearly document the severity of impacts of the taxpayer risks, as well as the likelihood of each taxpayer risk after responding to it, in the PDC program risk register, and use this information to prioritize risks to address and guide selection of risk responses. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. We will update the status after completing review of documentation IRS provided in December 2019, on actions taken to implement the recommendation. IRS actions included a risk register with related information on the analyses and response to the listed risks.

Recommendation: The Commissioner of Internal Revenue should clearly document how each risk response aligns with specific taxpayer risks in the PDC program risk register. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. We will update the status after completing review of documentation IRS provided in December 2019, on actions taken to implement the recommendation. IRS actions included a risk register with related information on the analyses and response to the listed risks.

Recommendation: The Commissioner of Internal Revenue should document how IRS's monitoring of the PDC program provides information on specific taxpayer risks and how well specific responses are working to address each risk, and should supplement IRS's monitoring of taxpayer complaints with Federal Trade Commission (FTC) complaint data. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. We will update the status after completing review of documentation IRS provided in December 2019 on actions taken to implement the recommendation, such as outreach to FTC on its system to record the complaints.

Recommendation: The Commissioner of Internal Revenue should more fully seek and document feedback from external stakeholders representing vulnerable taxpayers to identify and appropriately respond to possible PDC taxpayer risks. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. We will update the status after completing review of documentation IRS provided in December 2019 on actions taken to implement the recommendation, such as a system to record feedback received.

Recommendation: The Commissioner of Internal Revenue should clearly document an assessment of fraud risks related to the PDC program. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation and said that by June 2020, it would conduct a fraud risk assessment based on the Fraud Reduction and Data Analytics Act of 2015 and OMB guidance. We will update the status when we complete review of any documentation IRS provides on actions taken to implement the recommendation.

Recommendation: The Commissioner of Internal Revenue should ensure that its printed guidance to PDC taxpayers includes information about reporting scams to TIGTA. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with the recommendation. We will update the status after completing review of documentation IRS provided in December 2019 on actions taken to implement the recommendation.

Recommendation: The Director of ICE should build on existing efforts to use data analytics by employing techniques, such as network analysis, to identify potential fraud indicators in schools petitioning for certification. (Recommendation 2)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should develop an implementation plan for the project aimed at strengthening background checks for DSOs; that plan should outline how the project will be executed, monitored, and controlled. (Recommendation 5)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should implement mandatory DSO training and verify that the training is completed. (Recommendation 6)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of ICE should complete the development and implementation of its plans for mandatory fraud-specific training for DSOs. (Recommendation 7)

Agency: Department of Homeland Security: United States Immigration and Customs Enforcement
Status: Open

Comments: As of March 2020, ICE officials indicated that they were in the process of addressing GAO's recommendation and would submit an update including supporting documentation when available. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to take additional actions to improve performance against unmet timeliness goals. This includes steps to improve performance of senior official misconduct investigations and military service reprisal intakes, and to resolve disagreement on notifications. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the DOD and military service Inspectors General had convened a working group to coordinate performance improvement on unmet timeliness goals. According to the IG, the working group's recommendations are being incorporated into uniform standards for reprisal investigations that are expected to be finalized in the second quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Air Force Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: The Air Force Inspector General concurred with this recommendation, and the DOD Officer of Inspector General stated in December 2019 that the Air Force Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Marine Corps Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Naval Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access to sensitive whistleblower information in the current case management system and associated document repository is limited to information that is necessary to accomplish assigned tasks. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to develop a plan to fully restrict case access in the future whistleblower enterprise case management system so that user access is limited to information necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 7)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the future whistleblower case management system would incorporate design limits providing for access to information only by personnel necessary to accomplish assigned tasks in accordance with organizational missions and business functions. According to the IG, the system is scheduled to deploy in the third quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should enhance its process for periodically reviewing whistleblower case management system and document repository user privileges by including steps to ensure that such privileges remain valid after system updates, as appropriate. (Recommendation 8)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Air Force Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 9)

Agency: Department of Defense
Status: Open

Comments: The Air Force Inspector General concurred with this recommendation, and stated in December 2019 that an update scheduled for the end of April 2020 would enhance access control measures in its existing applications. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Army Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 10)

Agency: Department of Defense
Status: Open

Comments: The Army Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Army Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Marine Corps Inspector General should develop a plan to ensure that its redesigned whistleblower case management application restricts user access to information based on what is needed to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 11)

Agency: Department of Defense
Status: Open

Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Naval Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 12)

Agency: Department of Defense
Status: Open

Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Program Director for Financial Integration should collect and document requirements to define project scope and meet project objectives. These requirements should be updated periodically throughout the life of the project. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of August 2020, NNSA provided a project plan for tasks to be completed for common financial reporting through 2021. However, NNSA has not developed requirements that define specific or detailed requirements for successful implementation of common financial reporting, such as the types of information that program managers need.

Recommendation: The Program Director for Financial Integration should develop a detailed project schedule. The detailed schedule should be documented as part of the annual report to Congress required in the National Defense Authorization Act for Fiscal Year 2017. (Recommendation 3)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of August 2020, NNSA established a detailed project schedule for the common financial reporting effort through fiscal year 2021. However, NNSA should communicate this detailed project schedule for the effort to Congress on an annual basis.

Recommendation: The Program Director for Financial Integration should develop a formal process to identify risks, document those risks, and plan how to minimize risk exposure. (Recommendation 6)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: In June 2020, NNSA developed a risk management plan for common financial reporting which established a framework for identifying and managing risks. GAO will continue to monitor NNSA's efforts to implement the plan, including how NNSA identifies and documents risks and mitigates risk exposure using its management plan.

Recommendation: The Program Director for Financial Integration should develop an approach to effectively engage with all project stakeholders that incorporates their expectations into project decisions. (Recommendation 7)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: As of September 2020, NNSA has continued to engage on a regular basis with its M&O contractors. However, similar efforts have not continued with stakeholders of the program offices.

Recommendation: The Secretary of DHS should direct the appropriate staff to work with OMB to follow up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS provided evidence in December 2019 but it was insufficient to close this recommendation. We will continue to follow-up with DHS.

Recommendation: The Director of OMB should submit the intrusion assessment plan to the appropriate congressional committees. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should report on implementation of the defense-in-depth strategy described in the intrusion assessment plan, including all elements described in the plan. (Recommendation 4)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should update the analysis of agencies' intrusion detection and prevention capabilities to include the degree to which agencies are using NCPS. (Recommendation 5)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to update her report to Congress to include required information, such as detecting advanced persistent threats, a comparison of the costs and benefits of the capabilities versus commercial technologies and tools, and the capability of agencies to protect sensitive cyber threat indicators and defense measures. (Recommendation 6)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should direct the Federal CIO to work with DHS to follow-up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities. (Recommendation 9)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of January 2020, the Office of Management and Budget has not provided sufficient evidence to close this recommendation. We will continue to follow-up with OMB.

Recommendation: The Director of OMB should enhance the guidelines for agencies to establish the controls required by FRDAA, by clarifying the difference between FRDAA and ERM requirements, and through collaboration with agencies to determine what additional information agencies need to implement the controls. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In March 2020, the Payment Integrity Information Act of 2019 (PIIA) was enacted to improve efforts to identify and reduce government-wide improper payments, including payments that are the result of fraud. PIIA repealed and replaced FRDAA. However, OMB and the other agencies subject to PIIA essentially must satisfy the same requirements established under FRDAA, including adhering to OMB's related guidelines. OMB has not updated its published guidelines for FRDAA as we recommended. If OMB takes additional actions to supplement guidelines under PIIA, we will review the guidelines to determine whether it addresses our recommendation.

Recommendation: The Director of OMB should enhance FRDAA reporting guidelines by directing agencies to report complete and detailed information on each of the reporting elements specified by FRDAA, which should include information related to financial and nonfinancial fraud. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In March 2020, the Payment Integrity Information Act of 2019 (PIIA) was enacted to improve efforts to identify and reduce government-wide improper payments, including payments that are the result of fraud. PIIA repealed and replaced FRDAA, but maintained similar reporting requirements for federal agencies regarding fraud risks and also extended the time line for reporting by a year. OMB did not update its previous reporting guidance for FRDAA as we recommended. If OMB takes additional actions to supplement reporting guidelines under PIIA, we will review the guidelines to determine whether it addresses our recommendation.

Recommendation: The Secretary of the Army should require monitoring of its processes used for recording all required real property information--to include evaluating on an ongoing basis whether or to what extent these activities are being carried out--and remediating any identified deficiencies. (Recommendation 1)

Agency: Department of Defense: Department of the Army
Status: Open
Priority recommendation

Comments: The Army concurred with this recommendation. As of February 2020, DOD officials told us that the Army has required monitoring of its processes used for recording all real property information. Specifically, the Army developed a 5-year plan to address the recommendations to improve data quality and accountability in conjunction with the ongoing DOD financial statement audit. The plan reportedly requires measuring results through directed physical inspections and record updates, using a single, standardized Accountable Property System of Record (APSR) for all assets. DOD officials also told us that the Army developed an automated validation and second-person verification to comply with the requirements and business rules of the DOD Real Property Information Model (RPIM), and that it continue to use OSD's validation and verification tool when providing annual data inputs to OSD's Real Property Assets Database, with any feedback to be addressed at senior Army levels. However, DOD officials did not provide any documentation that these requirements have been established. Once we receive that documentation, we will review it to assess the extent to which it meets the intent of our recommendation.

Recommendation: The Secretary of the Navy should require monitoring of Navy and Marine Corps processes used for recording all required real property information--to include evaluating on an ongoing basis whether or to what extent these activities are being carried out--and remediating any identified deficiencies. (Recommendation 2)

Agency: Department of Defense: Department of the Navy
Status: Open
Priority recommendation

Comments: The Navy concurred with this recommendation. As of February 2020, DOD officials stated that the Navy required monitoring of its processes used for recording real property information. Specifically, the Navy established a requirement for a 100% inventory check to ensure existence and completeness of its real property information. As part of DOD larger effort to improve its financial management through the Financial Improvement and Audit Readiness (FIAR) guidance, DOD officials also told us that the Navy plans to implement the existence and completeness results provided by an independent Public Accounting Firm. Further, it will continue to use OSD's validation and verification tool when providing annual data inputs to OSD's Real Property Assets Database, with any feedback to be addressed at senior Navy levels. However, DOD officials did not provide any documentation that these requirements had been put in place. Once we receive that documentation, we will review it to assess the extent to which it meets the intent of our recommendation.

Recommendation: The Secretary of the Air Force should require monitoring of its processes used for recording all required real property information--to include evaluating on an ongoing basis whether or to what extent these activities are being carried out--and remediating any identified deficiencies. (Recommendation 3)

Agency: Department of Defense: Department of the Air Force
Status: Open
Priority recommendation

Comments: The Air Force concurred with this recommendation. As of February 2020, DOD officials told us that the Air Force has required monitoring of its processes for recording all required real property information. For example, the Air Force plans to establish a Data Quality Program (DQP) within the Air Force Civil Engineer Center Information Technology Functional Management Office to incorporate requirements for improving accuracy of its asset information in its Accountable Property System of Record (APSR). The Air Force also plans to revise its instruction AFI 32-9005 to define responsibility for the accuracy of data at the lowest level. Further, it plans to require use of OSD's validation and verification tool to identify and correct inaccuracies when providing annual data inputs to OSD's Real Property Assets Database, with any feedback to be addressed at senior Air Force levels. However, DOD officials did not provide any documentation that these requirements had yet been put in place. We await documentation of these requirements and will review them, once received, to assess the extent to which they meet the intent of our recommendation.

Recommendation: The Secretary of Defense should ensure that the Undersecretary of Defense for Acquisition and Sustainment, in collaboration with the military services, defines and documents which data elements within the RPAD submissions are most significant for decision-making. (Recommendation 4)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation to define and document which data elements within its Real Property Assets Database (RPAD) submissions are most significant for decision-making. As of February 2020, DOD officials told us they will conduct a review of all data elements in its Real Property Assets Database, including compiling list of all data elements actively being used by data consumers. DOD also plans to divide required data elements into blocks to begin strenuous monitoring for accuracy. DOD's estimated completion date for these actions is September 2023. We will continue to monitor the completion of DOD's planned actions.

Recommendation: The Secretary of Defense should ensure that the Undersecretary of Defense for Acquisition and Sustainment, in collaboration with the military services, coordinates on corrective action plans to remediate discrepancies in significant data elements in its real property data system that are identified by OSD's verification and validation tool. (Recommendation 5)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation to coordinate on corrective action plans to remediate discrepancies in significant data elements in its real property data system that are identified by OSD's verification and validation tool. As of February 2020, DOD officials told us they plan to establish a senior leader Functional Governance Board to monitor accuracy compliance. DOD also plans to establish quarterly progress reports to be posted on the Data Analytics Integration Support (DAIS) application for constant monitoring by all users. DOD's estimated completion date for these actions is September 2022. We will continue to monitor the completion of DOD's planned actions.

Recommendation: The Secretary of Defense should ensure that the Undersecretary of Defense for Acquisition and Sustainment, in collaboration with the military services, develops a strategy that identifies and addresses risks to data quality and information accessibility. At a minimum, this strategy should establish time frames and performance metrics for addressing risks related to (1) unfilled real property positions, (2) a lack of a department-wide approach to improving its data, and (3) implementation of OSD's expanded data platform. (Recommendation 6)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD partially concurred with this recommendation and stated that it plans to collaborate with the military services on separate service strategies that reflect each military service's operating environment. As of February 2020, DOD officials told us they plan to stabilize their Data Analytics Integration Support (DAIS) platform to improve data inventory by ensuring successful network connectivity for all military service users. DOD will update policy guidance to formalize the use of the DAIS platform for inventory submission by the military services. DOD also will develop and formalize in policy benchmarks and metrics to monitor data accuracy. DOD's estimated completion date for these actions is September 2023. We will continue to monitor the completion of DOD's planned actions.

Recommendation: FERC should provide standard language and procedures to its staff on how to record information collected during inspections, including how and where to record information about safety deficiencies, in order to facilitate analysis of safety deficiencies across FERC's portfolio of regulated dams. (Recommendation 1)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In February 2020, GAO confirmed that FERC had developed new standard operating procedures related for tracking deficiencies and follow-up items arising from dam safety inspections and other dam safety reviews. In addition, FERC told GAO that they plan to update their tracking system beginning in fiscal year 2021, which will facilitate the complete recording and subsequent analysis of safety deficiencies from inspections across FERC's portfolio of regulated dams. GAO will continue to monitor FERC's efforts to implement this recommendation.

Recommendation: FERC should use information from its inspections to assess safety risks across its portfolio of regulated dams to identify and prioritize safety risks at a national level. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In January 2019, FERC told GAO that it had begun developing a screening-level risk-assessment program to assess safety risks across the inventory of regulated dams and to help guide safety decisions. In February 2020, GAO confirmed that FERC had completed this screening-level risk assessment, and conducted some preliminary analysis of the results. In addition, FERC told GAO that the results of the screening level risk analyses will be used to revise the potential timing, frequency, and technical disciplines represented on dam safety inspections; to confirm or revise the urgency of existing and potential new follow up dam safety actions; and to identify previously unrecognized dam safety concerns and issues; to identify new dam safety priorities. GAO will continue to monitor FERC's efforts to implement this program.

Recommendation: Building on ongoing efforts, the Administrator of FNS should develop and implement additional methods to widely distribute information to state agencies on an ongoing basis about successful efforts to adopt data analytics and strategies to leverage existing data, technology, and staff resources to enhance data analytics. (Recommendation 1)

Agency: Department of Agriculture: Office of the Secretary: Food, Nutrition and Consumer Services: Food and Nutrition Service
Status: Open

Comments: FNS agreed with this recommendation. The agency noted that it has been moving in the general direction of this recommendation and would build on current efforts to address it but noted that state readiness and technical capabilities are limiting factors in the adoption of data analytics.

Recommendation: Congress should consider designating an agency to regularly collect and maintain specified cost-related data from credit allocating agencies and periodically assess and report on LIHTC project development costs. (Matter for Congressional Consideration 1)

Agency: Congress
Status: Open

Comments: As of August 2020, Congress had not designated an agency to regularly collect and maintain data on LIHTC project development costs.

Recommendation: IRS's Associate Chief Counsel, in consultation with Treasury's Assistant Secretary for Tax Policy, should require general contractor cost certifications for LIHTC projects to verify consistency with the developer cost certification. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation and had not taken action to implement it as of August 2020. We maintain that requiring general contractor cost certifications would help address a known fraud risk.

Recommendation: To help allocating agencies analyze development cost trends and drivers and make comparisons to other agencies, IRS's Commissioner of the Small Business/Self-Employed Division should encourage allocating agencies and other LIHTC stakeholders to collaborate on the development of more standardized cost data, considering information in this report about variation in data elements, definitions, and formats. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation and had not taken action to implement it as of August 2020. We maintain that greater standardization of LIHTC cost data would facilitate analysis of cost drivers and cost-management practices.

Recommendation: IRS's Associate Chief Counsel, in consultation with Treasury's Assistant Secretary for Tax Policy, should communicate to credit allocating agencies how to collect information on and review LIHTC syndication expenses, including upper-tier partnership expenses. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with the recommendation and had not taken action to implement it as of August 2020. We maintain that communicating expectations about the collection and review of syndication expenses would enhance program transparency and allocating agency financial assessments.

Recommendation: The Secretary of Education should enroll loan servicers in FSA's continuous monitoring program and, in the interim, require these entities to report the results of security controls testing at an FSA-defined frequency. (Recommendation 1)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and the agency stated that loan servicers are scheduled to be enrolled in its ongoing security authorization program beginning in fiscal year 2019. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should enroll private collection agencies in FSA's continuous monitoring program, and, in the interim, require these entities to test all controls at an FSA-defined frequency and regularly report the results. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: FSA stated that it concurred with this recommendation, but the actions it said it planned to take would not fully address it. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should modify FSA's agreements with guaranty agencies to specify a required baseline of security controls based on the impact level of the information shared with these agencies, as determined by FSA. (Recommendation 3)

Agency: Department of Education
Status: Open

Comments: FSA concurred with this recommendation and described planned actions to address it. In November 2019, FSA officials told us that this recommendation has a pending date of 5/31/2020 for completion When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should establish a process for continuous monitoring of guaranty agencies' implementation of security and privacy requirements between on-site assessments, to include testing all controls at an FSA-defined frequency and regularly reporting results. (Recommendation 4)

Agency: Department of Education
Status: Open

Comments: FSA partially concurred with this recommendation and described actions it planned to take in response. However, we believe the entire recommendation is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should include specific security and privacy requirements in agreements with the Federal Family Education Loan (FFEL) Program lenders based on FSA's categorization of the information shared with the lenders. (Recommendation 5)

Agency: Department of Education
Status: Open

Comments: FSA stated that it partially agreed with this recommendation; however, if effectively implemented, the planned actions it described would address this recommendation. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Education should develop policies and procedures to gain assurance that FFEL lenders have appropriate security and privacy controls in place and that these controls are being regularly tested and monitored. (Recommendation 6)

Agency: Department of Education
Status: Open

Comments: FSA did not concur with this recommendation. However, we believe it is still warranted. In November 2019, FSA officials told us that this recommendation had been implemented; however, they did not provide documentation to demonstrate actions taken to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of July 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.

Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: The agency agreed with the recommendation and, in May 2019, the agency revised its departmental policies to address 21 of the 22 responsibility gaps identified in the report. The remaining responsibility is for the Chief Information Officer (CIO) to report annually to the head of the agency on progress made in improving IT personnel capabilities. In particular, while USDA's CIO is required to conduct an annual assessment on IT personnel, there is no indication that the results are reported to the agency head. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)

Agency: Department of Commerce
Status: Open

Comments: The agency agreed with the recommendation and, in October 2018, described a a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: We will provide updated information when we confirm what actions the agency has taken in response to this recommendation.

Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)

Agency: Department of Energy
Status: Open

Comments: The department planned to complete several steps by the end of 2019. When we confirm these actions, we will provide updated information.

Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)

Agency: Department of Health and Human Services
Status: Open

Comments: The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: 1) report directly to the agency head or that official's deputy, 2) improve the management of the agency's IT through portfolio review (PortfolioStat), and 3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.

Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)

Agency: Department of Homeland Security
Status: Open

Comments: The agency agreed with the recommendation, and revised and provided additional departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to 1) review and approve IT contracts, acquisition plans, or strategies; and 2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive gives that authority to the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.

Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)

Agency: Department of Housing and Urban Development
Status: Open

Comments: The department indicated that it has work underway to address this recommendation, which it plans to complete in March 2020. When we confirm those actions, we will provide updated information.

Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)

Agency: Department of the Interior
Status: Open

Comments: The department planned to review its policies and take corrective actions, as necessary. When we confirm those actions, we will provide updated information.

Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)

Agency: Department of Justice
Status: Open

Comments: Justice concurred with our recommendation and started work to address it. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)

Agency: Department of Labor
Status: Open

Comments: Labor has taken a number of steps in response to this recommendation. However, the agency's policies did not address the six key areas of responsibility for CIOs.

Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)

Agency: Department of State
Status: Open

Comments: The department has begun changing its policies to address this recommendation. When we review those changes, we will provide updated information.

Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)

Agency: Department of Transportation
Status: Open

Comments: DOT agreed with many of the responsibilities in our recommendation, and in September 2019, the agency planned to leverage their technical infrastructure modernization initiative to further define the CIO responsibilities identified in the 18 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)

Agency: Department of the Treasury
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA agreed with our recommendation and, as of January 2020, is working to address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work to address this recommendation. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.

Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation and stated that the agency was updating its policies to address the responsibilities identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)

Agency: National Science Foundation
Status: Open

Comments: NSF agreed with our recommendations, and in February 2020, the agency issued a new CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility for the CIO to benchmark agency processes against private and public sector performance has not been established through the agencies' policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.

Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)

Agency: Nuclear Regulatory Commission
Status: Open

Comments: NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. It anticipated that it would complete those updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.

Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)

Agency: Office of Personnel Management
Status: Open

Comments: OPM agreed with our recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)

Agency: Small Business Administration
Status: Open

Comments: SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan's revised in 2019 addresses two of the 19 responsibility gaps identified in the report. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank evaluates and implements methods to further promote and sustain an antifraud tone that permeates the Bank's organizational culture, as described in GAO's Fraud Risk Framework. This should include consideration of requiring training on fraud risks relevant to Bank programs, for new employees and all employees on an ongoing basis, with the training to include identifying roles and responsibilities in fraud risk management activities across the Bank. (Recommendation 1)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM told us it continues work in this area and will provide us information on this work as it is completed. We will continue to monitor EXIM's progress in this area.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank develops and implements an antifraud strategy with specific control activities, based upon the results of fraud risk assessments and a corresponding fraud risk profile, as provided in GAO's Fraud Risk Framework. (Recommendation 4)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM told us it was in the final stages of its process for completing its antifraud strategy. We will continue to monitor EXIM's efforts in this area.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank identifies, and then implements, the best options for sharing more fraud-related information--including details of fraud case referrals and outcomes--among Bank staff, to help build fraud awareness, as described in GAO's Fraud Risk Framework. (Recommendation 5)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM stated that it is continuing to work with its Inspector General to implement this recommendation. We will continue to monitor EXIM's progress in this area.

Recommendation: The acting Bank president and Board chairman should lead efforts to collaborate with the Bank's OIG to identify a feasible, cost-effective means to systematically track outcomes of fraud referrals from the Bank to the OIG, including creating a means to link the OIG's proven cases of fraud to the specific Bank transactions from which the OIG actions arose. If any such means are found to be feasible and cost-effective, the acting Bank president and Board chairman should direct appropriate staff to implement them, with such information to be used for purposes consistent with GAO's Fraud Risk Framework, such as data analytics. (Recommendation 6)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM stated that it is continuing to work with its Inspector General to implement this recommendation. We will continue to monitor EXIM's progress in this area.

Recommendation: The acting Bank president and Board chairman should ensure that the Bank monitors and evaluates outcomes of fraud risk management activities, using a risk-based approach and outcome-oriented metrics, and that it subsequently adapts antifraud activities or implements new ones, as determined to be appropriate and consistent with GAO's Fraud Risk Framework. (Recommendation 7)

Agency: Export-Import Bank of the United States
Status: Open

Comments: In November 2019, EXIM stated that it is continuing work to implement this recommendation. We will continue to monitor EXIM's progress in this area.

Recommendation: The NASA Associate Administrator for Human Exploration and Operations should direct the Commercial Crew Program to include the results of its schedule risk analysis in its mandatory quarterly reports to Congress. (Recommendation 1)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA did not concur with our recommendation that the Commercial Crew Program should include the results of its schedule analysis in its quarterly reports to Congress. In July 2019, NASA reaffirmed that it will be working to ensure that the contractors' schedules and the program's internal assessments sync up as the program gets closer to launch, which is the process it used in March 2019 leading up to SpaceX's uncrewed test flight. GAO continues to believe that the recommendation is valid because the program's schedule risk analysis would provide Congress with valuable insight into potential delays, which are likely.

Recommendation: The NASA Administrator should develop and maintain a contingency plan for ensuring a presence on the ISS until a Commercial Crew Program contractor is certified. (Recommendation 2)

Agency: National Aeronautics and Space Administration
Status: Open
Priority recommendation

Comments: NASA agreed with this recommendation. NASA stated that it is in discussions with Russia to obtain additional seats on its Soyuz spacecraft for NASA crew as a contingency plan. NASA is also providing Extra-Vehicular Activity and robotics training for a subset of cosmonauts to support U.S. Operating Segment operations, and looking at a possible extension of the duration of the Space X Demonstration 2 crewed test flight. In November 2019, NASA reported that it completed its actions for this recommendation. However, while NASA is working on potential solutions, there is no contingency plan in place. To fully implement this recommendation, NASA needs to provide documentation of its contingency plan.

Recommendation: The NASA Administrator should direct the Chief of Safety and Mission Assurance, the NASA Associate Administrator for Human Exploration and Operations, the Commercial Crew Program Manager, and the Commercial Crew Program Contracting Officer to collectively determine and document before the agency certification review how the agency will determine its risk tolerance level with respect to loss of crew. (Recommendation 3)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA partially concurred with our recommendation, stating it documented the agency's risk tolerance level with respect to loss of crew for the program in its May 2011 safety memo. NASA stated that ultimately the Commercial Crew Program is accountable for ensuring that the contractors' systems meet the loss of crew value of 1 in 270. In July 2019, the Commercial Crew Program noted that it will continue to determine its risk tolerance with respect to loss of crew and formally document its decisions at program management meetings. We continue to believe that, before agency certification, the key parties must collectively determine how the agency will determine its risk tolerance with response to loss of crew, as the risk tolerance for the loss of crew requirement depends on which entity is presenting the results of its analysis. We believe this approach will reduce confusion and increase transparency. In late September 2020, GAO received additional information from NASA on actions taken to implement this recommendation. We are currently assessing this information.

Recommendation: After completing the agency certification review, NASA's Chief Engineer and Chief of Safety and Mission Assurance, with support from the NASA Associate Administrator for Human Exploration and Operations and the Commercial Crew Program Manager, should document lessons learned related to loss of crew as a safety threshold for future crewed spaceflight missions, given the complexity of the metric. (Recommendation 4)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with our recommendation to document lessons learned related to the loss of crew requirement. In June 2020, NASA told us that they expect to take action to close this recommendation by the end of May 2021.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for IMF fully addresses greater utilization of technology or consolidation of investments to better meet organizational goals. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year 2018 Operational Analysis Results report, dated June 24, 2019. The report demonstrated that IRS, in response to our recommendation, had ensured that the operational analysis for IMF fully addressed greater utilization of technology or consolidation of investments to better meet organizational goals. However, the operational analysis did not reflect IRS's progress to date in modernizing IMF and the associated challenges. As we reported, this omission is concerning given the risk exposure from the agency's continued use of the legacy assembly language code. In order to close the recommendation, IRS needs to update the operational analysis to reflect its progress modernizing IMF.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for Telecommunications Systems and Support (TSS) addresses the extent to which the investments support customer processes as designed, and how well the investments are delivering the goods or services they were designed to deliver. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for TSS, it did not identify the metrics used to determine whether TSS supported customer processes or delivered the goods and services that it is intended to deliver. To close this recommendation, IRS will need to provide the detailed operational analysis for TSS incorporating these metrics. As of December 2019, IRS has not provided the full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for TSS includes a comparison of current performance with a pre-established cost baseline. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided GAO its fiscal year (FY) 2018 Operational Analysis Results report. While the report included a summary of the FY 2018 operational analysis for the Telecommunications Systems and Support (TSS) investment , including planned and actual cost figures for FY2018, the report did not indicate whether the planned cost figure for FY2018 accounted for reimbursable costs and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for TSS, as well as documentation showing whether reimbursable costs and user fees are included in the planned cost figure. As of December 2019, IRS has not provided a full TSS operational analysis to GAO. Upon receiving the document, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should ensure the operational analysis for End User Systems and Services includes a comparison of current performance with a pre-established cost baseline. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In August 2019, IRS provided its fiscal year (FY) 2018 Operational Analysis Results report, dated June 24, 2019. While the report included a summary of the FY 2018 operational analysis for End User Systems and Services (EUSS) investment, including planned and actual cost figures for FY2018, it did not specify whether the planned cost figure accounted for multi-year funding and user fees, as we reported. To address this recommendation, IRS will need to provide a full operational analysis for EUSS, as well as documentation showing whether multi-year funding and user fees are included in the planned cost figure. As of December 2019, IRS has not provided the full EUSS operational analysis to GAO. Upon receiving it, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IMF investment. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IMF investment. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice for prioritizing risk for the IMF investment. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IMF investment. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IMF investment. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the IDRS investment. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the IDRS investment. (Recommendation 13)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates on the status of the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the IDRS investment. (Recommendation 14)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the IDRS investment. (Recommendation 15)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by November 2019. As of December 2019, IRS has not provided any updates indicating whether the agency has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with preparing for risk management for the MSSS investment. (Recommendation 16)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019. While the plan addressed most of the activities associated with the preparing for risk management key practice, it did not identify risk constraints, risk assumptions, or risk tolerance for the MSSS investment. Upon receiving further information, we will review it to determine if IRS has fully addressed this recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with analyzing risk for the MSSS investment. (Recommendation 18)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has implemented the activities associated with the Analyze Risk key practice. Specifically, while the plan describes a risk analysis process in which risks are classified as high, medium, or low risk, neither the plan nor any of the other documents describes criteria for evaluating and quantifying risk likelihood and severity (impact) levels. Additionally, the Risk Management Plan does not indicate whether analysis of MSSS risks includes both inherent and residual risks. Upon receiving additional information indicating that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with mitigating risk for the MSSS investment. (Recommendation 19)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframe and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has established threshold values for MSSS risk categories or alternative courses of action for critical risks. Upon receiving additional information indicating that it has addressed these activities. we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement the risk management key practice associated with monitoring, reporting, and controlling risk for the MSSS investment. (Recommendation 20)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it would implement the recommendation by October 2019. In November 2019, IRS provided its IT Enterprise Operations Mainframes and Servers Services and Support (MSSS) Risk Management Plan, dated October 7, 2019, along with several other documents associated with the agency's IT risk management process. However, the documents do not demonstrate that IRS has fully implemented all of the activities associated with the monitoring, reporting, and controlling key practice. Specifically, our review of the documents shows that IRS has not established threshold values for MSSS risk categories, and as a result is unable to compare the status of risks to acceptability thresholds to determine the need for implementing a risk mitigation plan. In addition, although the MSSS Risk Management Plan was updated in October 2019, its previous revision occurred in October 2017, indicating that IRS has not yet reviewed all aspects of the risk management program at least once a year. Upon receiving additional information that IRS has addressed these activities, we will review it to determine if IRS has implemented the recommendation.

Recommendation: The Commissioner of the IRS should fully implement IT workforce planning practices, including the following actions (1) setting the strategic direction for workforce planning; (2) analyzing the workforce to identify skill gaps; (3) developing strategies and implementing activities to address skill gaps; and (4) monitoring and reporting on progress in addressing skill gaps. (Recommendation 21)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2018, IRS told GAO it had initiated efforts to address workforce planning agency-wide. The agency stated that the Human Capital Office in coordination with the Information Technology organization prioritizes critical skills gaps to develop gap mitigation strategies, which are implemented through IT annual training plans and succession planning efforts. IRS also stated that the mitigation plans will be monitored in the current Project and Portfolio Management System and that the Human Capital and Information Technology organizations will monitor resource capacity, skills, assigned work effort, and staff availability. In addition, IRS stated that it would utilize special hiring authorities as a competency and staffing mitigation strategy. The agency noted that the special authorities are subject to the availability of resources and agency approval. Further, IRS stated that, due to the diversion of IT resources to the Tax Cuts and Jobs implementation, development of a plan for scaling and expansion of workforce planning efforts will commence after the opening of Filing Season 2020. IRS stated that, due to those constraints, it could not provide a date for fully implementing the recommendation. As of December 2019, IRS has not provided any updates indicating whether it has implemented the recommendation. When we confirm what actions IRS has taken, we will provide updated information.

Recommendation: The Administrator of SBA should use its on-site and off-site reviews to routinely collect information on lenders' use of credit elsewhere criteria as part of its monitoring of lender practices related to the credit elsewhere requirement. (Recommendation 2)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: For the second and third recommendations, related to lender's use of the credit elsewhere criteria as part of its monitoring of lender practices, on June 11, 2019, SBA provided information on 7(a) lender reviews and summary reports. On September 27, 2019, we discussed these recommendations and SBA's responses with an SBA official. Specifically, we discussed the role of statistical sampling in addressing lender practices and SBA's selection of lenders for further review. On November 22, 2019, an SBA official stated that the agency plans to provide additional documentation in six months to further support actions taken. We will continue to monitor SBA's efforts to address this recommendation.

Recommendation: The Administrator of SBA should analyze information on lenders' use of credit elsewhere criteria obtained from its reviews to identify lenders that may be at greater risk of noncompliance and to inform its selection of lenders for further review for credit elsewhere compliance. (Recommendation 3)

Agency: Small Business Administration
Status: Open
Priority recommendation

Comments: For the second and third recommendations, related to lender's use of the credit elsewhere criteria as part of its monitoring of lender practices, on June 11, 2019, SBA provided information on 7(a) lender reviews and summary reports. On September 27, 2019, we discussed these recommendations and SBA's responses with an SBA official. Specifically, we discussed the role of statistical sampling in addressing lender practices and SBA's selection of lenders for further review. On November 22, 2019, an SBA official stated that the agency plans to provide additional documentation in six months to further support actions taken. We will continue to monitor SBA's efforts to address this recommendation.

Recommendation: The Undersecretary for Health should ensure that Central Office, Veterans Integrated Service Networks (VISN), and medical facilities document the actions they take towards achieving OSI goals. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with the recommendation. To fully implement this recommendation, VHA needs to provide information about the new documentation requirements described in the November 2019 update.

Recommendation: The Undersecretary for Health should ensure that any OSI goals that have not been met have clearly defined, measurable outcomes, including milestones or numerical targets, as appropriate, and timeframes. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with the recommendation. To fully implement this recommendation, VHA needs to provide information about specific actions, described in the November 2019 update, taken to address the recommendation including documentation showing the actions taken to review the OSI goals and documentation of new OSI goals, metrics, and timelines.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment to update the policy or guidance for MAIS business programs. Specifically, the update should include the following elements: (1) establishment of initial and current baseline cost and schedule estimates, (2) predetermined threshold cost and schedule estimates to identify the point when programs may be at high risk, and (3) quarterly and annual reports on the performance of programs to stakeholders. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: In January 2020, the Under Secretary of Defense for Acquisition and Sustainment issued an updated instruction on defense business systems requirements and acquisition, which included guidance on establishing baseline cost and schedule estimates and considering progress against the baselines at key decision points. However, the instruction does not make a distinction between initial and current baselines. Further, it did not include thresholds for cost and schedule variances or specify periodic reporting of program performance information to stakeholders. According to an official in the office of the Under Secretary of Defense for Acquisition and Sustainment, the office does not intend to add the elements of the recommendation related to thresholds and reporting. Specifically, according to the official, the office considers specifying predetermined threshold cost and schedule estimates and frequency for status reporting to be matters for implementation guidance issued by department components or determined by a program decision authority. However, until the department demonstrates that it has fully addressed the recommendation, it is limited in its ability to ensure that effective system acquisition management controls are implemented for each major business system investment and that stakeholders have the information needed to make informed decisions for managing and overseeing these investments. We will continue to monitor the department's implementation of the recommendation.

Recommendation: The Secretary of Defense should direct the Director of the Defense Health Agency to direct the program manager for the Defense Healthcare Management System Modernization program to: (1) finalize and approve its requirements management plan, (2) identify and document changes that should be made to plans and work products resulting from changes to the requirements baseline, and (3) quantify costs and benefits of risk mitigation within its program-level risk mitigation plans. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: As of November 2019, the Department of Defense had made progress addressing the intent of the recommendation related to requirements management; however, it needs to do more to improve DHMSM program risk management. Specifically, in March 2019, the DHMSM program manager approved a requirements management plan, which includes identifying and documenting changes that should be made to plans and work products resulting from changes to the baseline requirements. Specifically, it includes forward and backward configuration and change management of the baselined requirements and managing traceability of requirements to design artifacts, test cases, defects, and change requests. However, the program has not demonstrated that it quantifies costs and benefits of risk mitigation in its risk mitigation plans. Specifically, it did not demonstrate that it had updated its guidance to require that costs and benefits of risk mitigation plans be included in these plans. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: The Assistant Secretary of Labor for the Employee Benefits Security Administration (EBSA) should clarify whether an Employee Retirement Income Security Act of 1974 plan may incorporate material ESG factors into the investment management for a qualified default investment alternative (QDIA). (Recommendation 1)

Agency: Department of Labor
Status: Open

Comments: DOL neither agreed nor disagreed with this recommendation. On April 23, 2018, while DOL was reviewing our report, the agency issued Field Assistance Bulletin 2018-01 regarding retirement plans' use of ESG factors. While this new bulletin specifically mentions the use of ESG factors in a QDIA and reiterates the conditions under which an investment option may generally be considered a QDIA, it focuses on the use of ESG factors for collateral benefits rather than on cases where ESG factors are considered in investment decisions because they have been determined by fiduciaries to be material to financial performance. For example, the new field assistance bulletin states that the QDIA regulations do not suggest that fiduciaries should select a QDIA based on collateral public policy goals. ESG factors can be used to address material risks, which might otherwise be ignored, and there is interest in considering such factors within a QDIA. The use of ESG factors in this manner can be distinct from pursuing collateral public policy goals. Additional clarification from DOL that explicitly addresses plans' use of financially material ESG factors in investment options designated as a QDIA could enhance the agency's effectiveness in assisting plan fiduciaries with understanding and fulfilling their obligations under ERISA. In June 2019, DOL stated that it would be appropriate to engage with stakeholders before reaching any conclusions about the necessity or appropriateness of issuing further guidance in this area. Additional information about DOL's efforts to engage with stakeholders, including the outcome of such efforts and rationale for any conclusions reached would help determine the effectiveness of the agency's actions.

Recommendation: The Assistant Secretary of Labor for EBSA should provide further information to assist fiduciaries in investment management involving ESG factors, including how to evaluate available options, such as questions to ask or items to consider. (Recommendation 2)

Agency: Department of Labor
Status: Open

Comments: DOL neither agreed nor disagreed with this recommendation. GAO believes that while DOL's new field assistance bulletin provides information on the limitations of using ESG factors for pursuing collateral benefits, additional clarifying information could help sponsors conduct due diligence in considering whether ESG factors are material to an investment's financial performance and, if so, how to address those material risks. DOL's written comments recognize that additional clarification could be appropriate, depending on responses to the new field assistance bulletin from the public. We appreciate the consideration of the need for additional information, particularly as some have noted the new field assistance bulletin could create a chilling effect that leads fiduciaries to avoid considering ESG factors that could address material risks in their investments, to the detriment of plan participants' best interests. In June 2019, DOL stated that it would be appropriate to engage with stakeholders before reaching any conclusions about the necessity or appropriateness of issuing further guidance in this area. DOL further stated that the agency added a new project to the Spring 2019 regulatory agenda related to proxy voting. Additional information about DOL's new project on proxy voting and efforts to engage with stakeholders, including the outcome of such efforts and rationale for any conclusions reached, would help determine the effectiveness of the agency's actions.

Recommendation: The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA did not concur with this recommendation. As of October 2019, the agency reported that the Office of the Chief Information Officer was beginning its involvement with the agency's Mission Support Architecture Program which aims at re-aligning mission support functions from a decentralized model to an enterprise model. The office's participation in the re-alignment effort has an estimated completion date in fiscal year 2023.

Recommendation: The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. In February 2020, NASA reported that the agency remained committed to taking action to address this recommendation and reported that the Office of the Chief Information Officer had established a process to govern IT investment funds and had planned additional modifications for that framework. The agency now expects to complete actions to address this recommendation by November 2020.

Recommendation: The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria. In April 2019, NASA provided copies of its updated guidance. Among other things, the guidance described criteria for the portfolio and defined policies and procedures for creating the portfolio. As of April 2020, the agency had not yet provided evidence that it had developed policies and procedures for evaluating the portfolio. We plan to continue following up on the status of efforts to address this recommendation.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. As of September 2020, NASA reported that it intends to deliver a cybersecurity risk management strategy that addresses the elements outlined in this recommendation by 2021.

Recommendation: The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10)

Agency: National Aeronautics and Space Administration
Status: Open

Comments: NASA concurred with this recommendation. As of September 2020, NASA reported that the Chief Information Officer had initiated a review of the agency's cyber policy management framework and that any related updates were expected to be completed by 2021.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the FSM compact trust fund committee, works with other members of the committee to develop a distribution policy for the FSM compact trust fund, as required by the compact trust fund agreement, that takes into account potential strategies that could address risks to the fund's ability to provide a source of income after fiscal year 2023. (Recommendation 1)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and set a target date for implementation of October 1, 2023. In July 2018, Interior stated that the trust fund committees were in discussions related to identifying the parameters and principles for a distribution policy and formula(s) to calculate the distribution prior to preparing the text of a distribution policy, and that representatives from Interior and the State Department would discuss our recommendations with the trust fund committees. According to the Trust Fund Administrator and Interior, the distribution policy was discussed at subsequent trust fund committee meetings, and trust fund representatives met with FSM representatives in January 2019 to discuss the status of the trust fund and future scenarios for its management. GAO observed the FSM trust fund committee's September 2019 meeting. At the meeting, the trust fund adviser presented a presentation to the committee that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement. However, the FSM compact trust fund committee did not make any decisions regarding steps to address our recommendations. At the meeting, an FSM representative on the FSM compact trust fund committee stated that the FSM's Joint Compact Review and Planning Committee (JCRP) had appointed a chief negotiator and, in light of this appointment, the FSM compact trust fund members would not be taking a position on a distribution policy on behalf of the FSM. The FSM's position is that the distribution policy and other future compact trust fund-related issues should be discussed as part of future negotiations between the FSM and the United States. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the FSM compact trust fund committee and of the FSM Joint Economic Management Committee, works with other members of the committees to develop the fiscal procedures required by the compact trust fund agreement. (Recommendation 2)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that discussions among the trust fund committees and others were ongoing and the fiscal procedures applicable to the trust fund disbursements will be determined prior to October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the FSM trust fund committee's September 2019 meeting. At the meeting, the trust fund adviser presented a presentation to the committee that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement. However, the FSM compact trust fund committee did not make any decisions regarding steps to address our recommendations. At the meeting, an FSM representative on the FSM compact trust fund committee stated that the FSM's position is that future compact trust fund-related issues should be discussed as part of future negotiations between the FSM and the United States. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the FSM compact trust fund committee, works with other members of the committee to address the timing of the calculation of compact trust fund disbursements. (Recommendation 3)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that the trust fund committees have been discussing options for ensuring that the timing of the calculation of compact trust fund disbursements align with the budget process of the FSM and that, of the options reviewed thus far, using a multi-year rolling average was the favored option. Interior added that the final determination on the timing of the calculation of the trust fund disbursements will be addressed in the distribution policy. Interior set a target date for implementation of the recommendation to develop a distribution policy of October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the FSM trust fund committee's September 2019 meeting. At the meeting, the trust fund adviser presented a presentation to the committee that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement. However, the FSM compact trust fund committee did not make any decisions regarding steps to address our recommendations. At the meeting, an FSM representative on the FSM compact trust fund committee stated that the FSM's position is that future compact trust fund-related issues should be discussed as part of future negotiations between the FSM and the United States. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the RMI compact trust fund committee, works with other members of the committee to develop a distribution policy for the RMI compact trust fund, as required by the compact trust fund agreement, that takes into account potential strategies that could address risks to the fund's ability to provide a source of income after fiscal year 2023. (Recommendation 4)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and set a target date for implementation of October 1, 2023. In July 2018, Interior stated that the trust fund committees were in discussions related to identifying the parameters and principles for a distribution policy and formula(s) to calculate the distribution prior to preparing the text of a distribution policy, and that representatives from Interior and the State Department would discuss our recommendations with the trust fund committees. According to the Trust Fund Administrator and Interior, the distribution policy was discussed at subsequent trust fund committee meetings, and trust fund representatives met with RMI representatives in January 2019 to discuss the status of the trust fund and future scenarios for its management. GAO observed the RMI trust fund committee's September 2019 meeting. At the meeting, the committee received written information from the trust fund adviser that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement, but the scheduled adviser presentation did not occur. At the meeting, an RMI representative on the RMI compact trust fund committee stated that the RMI government has determined that using the original distribution structure, with disbursements in the amount of annual grant assistance and full adjustment for inflation, remains the RMI's position. In addition, any adjustments to the distribution policy and trust fund structure will be made as a result of government to government negotiation. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the RMI compact trust fund committee and of the RMI Joint Economic Management and Financial Accountability Committee, works with other members of the committees to develop the fiscal procedures required by the compact trust fund agreement. (Recommendation 5)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that discussions among the trust fund committees and others were ongoing and the fiscal procedures applicable to the trust fund disbursements will be determined prior to October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the RMI trust fund committee's September 2019 meeting. At the meeting, the committee received written information from the trust fund adviser that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement, but the scheduled adviser presentation did not occur. At the meeting, an RMI representative on the RMI compact trust fund committee stated that any adjustments to the distribution policy and trust fund structure will be made as a result of government to government negotiation. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Interior should ensure that the Director of the Office of Insular Affairs, as Chairman of the RMI compact trust fund committee, works with other members of the committee to address the timing of the calculation of compact trust fund disbursements. (Recommendation 6)

Agency: Department of the Interior
Status: Open

Comments: Upon the report's publication, Interior concurred with our report's recommendations and stated that discussions to address them are ongoing within the trust fund committees. In July 2018, Interior stated that the trust fund committees have been discussing options for ensuring that the timing of the calculation of compact trust fund disbursements align with the budget process of the RMI and that, of the options reviewed thus far, using a multi-year rolling average was the favored option. Interior added that the final determination on the timing of the calculation of the trust fund disbursements will be addressed in the distribution policy. Interior set a target date for implementation of the recommendation to develop a distribution policy of October 1, 2023. In February 2019, Interior stated that discussions about policies and controls were frequent and ongoing among Committee members and staffers along with the trust fund manager and investment advisers. GAO observed the RMI trust fund committee's September 2019 meeting. At the meeting, the committee received written information from the trust fund adviser that discussed issues associated with the distribution policy, fiscal procedures, and timing of the calculation of amounts available for disbursement, but the scheduled adviser presentation did not occur. At the meeting, an RMI representative on the RMI compact trust fund committee stated that any adjustments to the distribution policy and trust fund structure will be made as a result of government to government negotiation. The December 2019 trust fund committee meeting again included post-2023 issues on the agenda, but the committee did not take actions at that time.

Recommendation: The Secretary of the Navy should take steps to ensure that the Marine Corps not enter full-rate production until the Marine Corps has determined that the contractor has achieved an MRL of at least 9 for all risk areas. (Recommendation 2)

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation, stating that it agreed that manufacturing readiness levels (MRL) for the Amphibious Combat Vehicle 1.1 should be assessed prior to the decision to award the option for the second lot of low-rate production, but disagreed that an MRL assessment of any individual risk area, in itself, should delay the contract award. We maintained that achieving an overall MRL-9 by the by the start of full-rate production represents best practice to minimize production risk. According the Marine Corp, the most recent MRL Assessment as of August 2020 assessed the program at an overall MRL-8. The Marine Corps indicated that another MRL assessment is estimated to be completed in November 2020 to support the decision to enter full-rate production, which is planned for December 2020.

Recommendation: The Director of the Consumer Financial Protection Bureau should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 5)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In a May 2018 letter, the Acting Director of the Bureau stated that the Bureau has previously issued principles that include reasonable and practical means for consumers to dispute and resolve instances of unauthorized payments conducted in connection with or as a result of authorized or unauthorized data sharing access. The letter notes that the Bureau is committed to monitoring developments in data aggregation markets and will continue to assess how the Bureau's consumer protection principles may be best realized, including engaging in discussions with other relevant federal and state financial regulators. In October 2018, Bureau staff advised us that they made a presentation on existing consumer protections that would appear to be applicable to consumers using data aggregators at the June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, and the National Credit Union Administration. They noted they are monitoring private sector efforts related to resolving data aggregation issues and that additional discussions among the regulators about these issues will be held in the future. We will recontact the agency in the future to obtain information on additional actions it has taken. In January 2020, GAO met with CFPB to discuss the recommendation and potential outcomes that could close the recommendation. CFPB officials stated that they will be hosting a public forum on data aggregation in February 2020. They noted that results from the public forum could include action related to the data aggregation recommendation.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 6)

Agency: Federal Reserve System: Board of Governors
Status: Open
Priority recommendation

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of working together to determine how best to encourage socially beneficial innovation in the marketplace, while ensuring that consumers' interests are protected. The letter noted that the Federal Reserve staff have been meeting with other regulators and industry participants. The Chair states that the Federal Reserve will continue to facilitate and engage in collaborative discussions with other relevant financial regulators in these and other settings to help market participants address the important issues surrounding reimbursement for consumers who use financial account aggregators and experience unauthorized transactions. In October 2018, Federal Reserve staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau. They noted that they are monitoring private sector efforts related to resolving data aggregation issues and expect to hold additional discussions among the regulators about these issues in the future. In March 2019, the agency noted that it continues to collaborate on this issue. As of February 2020, the agency had no further updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Federal Deposit Insurance Corporation should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 7)

Agency: Federal Deposit Insurance Corporation
Status: Open
Priority recommendation

Comments: In November 2018, FDIC staff confirmed that they have engaged in collaborative discussions with other relevant financial regulators regarding issues related to consumers' use of account aggregation services and associated liability issues. We followed up in April 2019 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation.

Recommendation: The Chairman of the National Credit Union Administration should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 8)

Agency: National Credit Union Administration
Status: Open

Comments: In July 2018, NCUA staff indicated that staff from their agency had recently participated in a discussion forum with other federal regulators and other stakeholders on fintech, and, in particular, account aggregation challenges. They stated that they intend to continue to engage other regulators and related industry stakeholders on fintech topics and emerging technology that can have an impact on credit unions and their consumers. In October 2018, NCUA staff advised us that they have been discussing issues related to data aggregation at meetings of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. In November 2019, NCUA staff said that the agency continues to participate in meetings through the Fintech Interagency Discussion Group and had taken part in a Data Symposium held by the San Francisco Federal Reserve. We plan to follow up with NCUA staff to obtain updates on these efforts and resulting outcomes in the future.

Recommendation: The Comptroller of the Currency should engage in collaborative discussions with other relevant financial regulators in a group that includes all relevant stakeholders and has defined agency roles and outcomes to address issues related to consumers' use of account aggregation services. (Recommendation 9)

Agency: Department of the Treasury: Office of the Comptroller of the Currency
Status: Open

Comments: In a May 2018 letter, OCC noted that its staff have met with the other banking regulators and with market participants about account aggregation issues in the past. In October 2018, OCC staff advised us that issues related to data aggregation were discussed at a June 28, 2018 meeting of the Fintech Interagency Discussion Group, which includes OCC, the Federal Reserve, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Bureau of Consumer Financial Protection. We followed up in January 2020 and they confirmed that their collaboration had yet to produce outcomes that would satisfy the recommendation. We plan to follow up with OCC staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefit of establishing an office of innovation or clear contact point, including at least a website with a dedicated email address. (Recommendation 11)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that in August 2018 the agency established a working group to formally evaluate the feasibility of establishing a dedicated work unit to oversee and lead fintech and innovation efforts, including creating a website and monitoring a dedicated e-mail account. NCUA officials indicated that as of November 2019 the working group was deliberating key considerations related to establishing a dedicated work unit. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Chair of the Board of Governors of the Federal Reserve System should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 12)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In a May 2018 letter, the Chair of the Federal Reserve Board noted that the Federal Reserve recognizes the importance of formally increasing its knowledge base related to financial innovation. The letter noted that the Federal Reserve has recently organized two nationwide teams of experts tasked with monitoring fintech and related emerging technology trends as they relate to its supervisory and payment system mandates, respectively. These new teams include representation from all of the Federal Reserve System's Reserve Banks and have leadership from Board staff. These teams' critical objectives include ensuring that fintech-related information is shared across the Federal Reserve System and is used to inform relevant supervisory, policy, and outreach strategies. As of February 2020, the agency had no updates on this recommendation. We plan to follow up with Federal Reserve staff to obtain updates on these efforts in the future.

Recommendation: The Chairman of the Commodity Futures Trading Commission should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 13)

Agency: Commodity Futures Trading Commission
Status: Open

Comments: We followed up in January 2020 and CFTC described its efforts to address this recommendation, which were encouraging. We are awaiting documentation of these efforts and when we confirm the agency's actions, we will provide updated information.

Recommendation: The Chairman of the National Credit Union Administration should formally evaluate the feasibility and benefits to their regulatory capacities of adopting certain knowledge-building initiatives related to financial innovation. (Recommendation 15)

Agency: National Credit Union Administration
Status: Open

Comments: NCUA officials told us that, as of November 2019, the internal working group that the agency established in August 2018 was evaluating the feasibility and benefits of adopting certain knowledge-building initiatives related to financial innovation. Specifically, the working group was assessing initiatives such as stakeholder outreach, research and collaboration opportunities, grants and other technical assistance, and existing supervisory tools. We plan to follow up with NCUA staff to obtain updates on these efforts in the future.

Recommendation: The Office of Transit Safety and Oversight should develop and communicate a method for how it will monitor the effectiveness of the enforcement authorities and practices of state safety agencies. (Recommendation 2)

Agency: Department of Transportation: Federal Transit Administration
Status: Open
Priority recommendation

Comments: DOT concurred with this recommendation. DOT should continue its progress to developing and communicating a methodology for how it will monitor the effectiveness of state safety agencies' enforcement.

Recommendation: The Commissioner of FDA should develop a timeline for updating the risk assessment on arsenic in rice. (Recommendation 1)

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: As of August 2020, FDA stated that it will update the risk assessment when more scientific evidence becomes available. In the meantime, FDA noted that it will continue to monitor research in this area, including ongoing work by the National Academies of Sciences (NAS) Board on Environmental Studies and Toxicology, which is currently reviewing EPA's work on inorganic arsenic, specifically on EPA's IRIS Toxicological Assessments of Inorganic Arsenic. GAO will assess whether FDA has taken action responsive to the recommendation when additional information becomes available.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment revises its guidance on privatized military housing to include a requirement that the military departments incorporate measures of future sustainment into their assessments of privatized housing projects. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that it was working with the military departments to determine appropriate measures of future sustainment and would revise its guidance to require the military departments to incorporate measures of future sustainment into their assessments of privatized housing projects. In May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that DOD anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment takes steps to resume issuing required reports to Congress on the financial condition of privatized housing in a timely manner. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report and stated that it was working to further streamline the reporting format and data collection process to ensure more timely reporting to Congress. Subsequently, in September 2018 DOD issued its report to Congress on the financial condition of privatized housing covering fiscal years 2015 and 2016, and in May 2019 DOD issued the report covering fiscal year 2017. An official from the Office of the Assistant Secretary of Defense for Sustainment noted in May 2019 that the next report will cover updated reporting requirements from the National Defense Authorization Act for Fiscal Year 2019. The official said that DOD was in the process of reviewing its schedule to determine when it will be able to submit the report covering fiscal year 2018, with the expectation that the submission will be made in December 2019 or no later than March 2020. The official added that collection, reconciliation, and coordination of the information in the report remains the biggest challenge to timely submittal, as well as other privatized housing-related work requirements. Because it is unclear whether future reports reflecting the updated reporting requirements will be submitted in a timely manner, we will continue to monitor DOD's response to this recommendation.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment reports financial information on future sustainment of each privatized housing project in its reports to Congress. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report and stated that it would ensure that financial information on future sustainment of each privatized housing project would be included in the report to Congress on privatized housing covering fiscal year 2017. However, the report covering fiscal year 2017 was issued in May 2019 and did not include financial information on the future sustainment of each privatized housing project. We will continue to monitor any actions DOD takes to implement this recommendation.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment provides guidance directing the military departments to assess the significance of the specific risks to individual privatized housing projects resulting from the reductions in the basic allowance for housing and identify courses of action to respond to any risks based on their significance. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that it would issue guidance to the military departments to annually report on their assessment of the specific risk of changes in the basic allowance for housing to individual privatized housing projects and identify any courses of action to respond to the risks based on their significance. In May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that DOD anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment finalizes guidance in a timely manner that clearly defines the circumstances in which the military departments should provide notification of project changes and which types of project changes require prior notification or prior approval. (Recommendation 7)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that DOD has coordinated draft guidance with the military departments which it expected to issue in fiscal year 2018. However, in May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that the guidance has been delayed due to other pressing requirements and DOD now anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment revises its guidance on privatized military housing to require the military departments to define their risk tolerances regarding the future sustainability of their privatized housing projects. (Recommendation 8)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation in its response to our report. In its response, the department stated that it would revise its privatized housing guidance to require the military departments to define their risk tolerances regarding future sustainability of privatized housing projects. In May 2019, an official from the Office of the Assistant Secretary of Defense for Sustainment stated that DOD anticipates being able to issue this guidance sometime in calendar year 2019.

Recommendation: The Director of OMB should ensure that OMB's Office of Information and Regulatory Affairs staff, as part of the regulatory review process, examine the planned timeframes for implementing economically significant regulations or major rules and identify regulations that appear at potential risk of not complying with the Congressional Review Act's delay requirements and then work with the agencies to ensure compliance with these requirements (Recommendation 1).

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In March 2020, OMB staff stated that they believe they have addressed the recommendation. They reiterated a statement made shortly before we issued our report that they already take steps to check agencies' compliance with the Congressional Review Act (CRA) during the regulatory review process. We published this statement in our report, but noted that OMB staff did not provide supporting documentation. Nor does the update we received in March 2020 provide supporting documentation and, thus, we cannot verify it. The update from OMB staff in March 2020 also refers to an April 2019 memorandum the Acting Director of OMB issued to the heads of executive agencies outlining updated guidance for complying with CRA. While the memorandum reminds agencies of the CRA requirement that they delay the effective date of a major rule to allow time for congressional review and following publication in the Federal Register, unless there is good cause to not delay the effective date, the Acting Director does not explain whether his office has made changes to the regulatory review process as we recommended. We will continue to monitor OMB's efforts to address our recommendation.

Recommendation: The Secretary of Agriculture, in cooperation with the Secretary of Health and Human Services, should take steps to consult with respective sector partner(s), such as the sector coordinating council (SCC), Department of Homeland Security (DHS) and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 1)

Agency: Department of Agriculture
Status: Open
Priority recommendation

Comments: In written comments, United States Department of Agriculture (USDA) neither agreed nor disagreed with the recommendation in our report, but stated that it would attempt to develop a measurement mechanism as part of its annual data calls to the Food and Agriculture Sector. Specifically, officials stated that the diversity of the sector makes it difficult to develop a method for determining the level and type of framework adoption across the sector that would apply to all members. USDA officials added, however, that the sector coordinating council frequently invites the Department of Homeland Security to semi-annual meetings to present on both the threat to cybersecurity and resources available to support the needs of the sector. However, as of January 2020, USDA officials had yet to develop methods to determine the level and type of framework adoption. Implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts.

Recommendation: The Secretary of Energy should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 3)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: The Department of Energy (DOE) stated that it worked with stakeholders to better align the Cybersecurity Capability Maturity Model (C2M2) with the updated NIST Cybersecurity Framework but did not provide specific information regarding the adoption or use of the framework. To fully address the recommendation, DOE should have a more comprehensive understanding of the framework's use by sector entities if DOE, along with other entities, want to ensure that its facilitation efforts are successful and determine whether organizations are realizing positive results by adopting the framework. We will continue to monitor DOE actions in response to this recommendation.

Recommendation: The Administrator of the Environmental Protection Agency should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 4)

Agency: Environmental Protection Agency
Status: Open
Priority recommendation

Comments: In written comments, EPA did not explicitly state whether it agreed or disagreed with our recommendation, but said that several factors constrain the agency from implementing the recommendation. EPA also said it agrees that a comprehensive assessment of framework adoption within the water sector would assist with evaluating and tailoring efforts to promote its use. Further, the agency stated that it will continue to work with the Water Sector Coordinating Council and sector partners to promote and facilitate adoption of the cybersecurity framework. The agency also suggested options related to developing cross-sector metrics and survey methods and stated that it will collect available data that may be characterized as cybersecurity framework "awareness," such as downloads of guidance materials and participation in classroom trainings and webinars. However, as of February 2020, EPA had yet to develop methods to determine the level and type of framework adoption. Officials identified steps the department is taking to facilitate framework use. Specifically, EPA officials told us that the agency will coordinate with its Sector Coordinating Council to identify appropriate means to collect and report information, including a survey, to determine the level and type of framework adoption. They explained that, in the past, the water sector expressed concerns with sharing sensitive cybersecurity information and in developing metrics to evaluate cybersecurity practices. . However, EPA officials stated that they have conducted training, webcasts, and outreach related to cybersecurity, including using the framework and tailoring its efforts to sector needs. According to EPA officials, the agency's goal in doing so was to ensure that sector organizations understood the importance of the framework. While the agency has some ongoing initiatives, implementing our recommendation to gain a more comprehensive understanding of the framework's use by its critical infrastructure sector is essential to the success of protection efforts.

Recommendation: The Secretary of Health and Human Services, in cooperation with the Secretary of Agriculture, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 6)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In written comments, the Department of Health and Human Services (HHS) concurred with the recommendation in our report and stated that it would work with appropriate entities to assist in sector adoption. HHS officials, in collaboration with NIST and a joint Cybersecurity Working Group, developed 10 best practices in May 2017 (Health Industry Cybersecurity Practices) for the Healthcare and Public Health Services sector based on the framework. These practices allowed stakeholders to identify how to use the framework with existing sector resources by raising awareness and providing vetted cybersecurity practices to enable the organizations to mitigate cybersecurity threats to the sector. In addition, officials from HHS's Assistant Secretary for Preparedness and Response (ASPR) stated that the working group discussed the challenges associated with measuring the use and impact of the NIST framework, and approved the establishment of a task group to further investigate the issue. ASPR officials added that some of the ideas discussed included the use of surveys and identification of a set of voluntary reporting indicators. In its fiscal year 2021 budget justification, HHS noted that it participated in a Health Care SCC Cybersecurity Working Group survey that was sent to group members in June 2019. However, while the survey included a question on the extent a working group member used the framework, SCC officials stated that the survey results were not statistically meaningful. While the department has ongoing initiatives, it had yet to develop methods to determine the level and type of framework adoption. Implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts.

Recommendation: The Secretary of Homeland Security, in cooperation with the co-SSAs as necessary, should take steps to consult with respective sector partner(s), such as the SCC, and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sectors. (Recommendation 7)

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In written comments, the Department of Homeland Security (DHS) concurred with the recommendation in our report and stated that its National Protection and Programs Directorate, as the sector-specific agency for 9 of the 16 critical infrastructure sectors, will continue to work closely with its private sector partners to ensure framework adoption is a priority. Additionally, the department stated that the directorate will work closely with its private sector partners to better understand the extent of framework adoption and barriers to adoption by entities across their respective sectors. As of January 2020, the department had begun taking steps to develop methods to determine the level and type of framework adoption in the respective sectors. Specifically, in October 2019, DHS, in coordination with its Information Technology (IT) sector partner, administered a survey to all small and midsized IT sector organizations to gather information on, among other things, framework use and plans to report on the results in 2020. DHS officials stated that any small or mid-sized business across all critical infrastructure sectors could complete the survey and that the department had promoted the survey to all sectors.

Recommendation: The Secretary of Transportation, in cooperation with the Secretary of Homeland Security, should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 8)

Agency: Department of Transportation
Status: Open
Priority recommendation

Comments: As of January 2020, the department had begun taking steps to develop methods to determine the level and type of framework adoption in the respective sectors. Specifically, officials in the Department of Transportation's (DOT) Office of Intelligence, Security, and Emergency Response, in coordination with the Department of Homeland Security (DHS), told us that they planned to develop and distribute a survey to the Transportation Systems sector to determine the level and type of framework adoption. DOT officials stated that the draft survey was undergoing DHS legal review and that the completion of the review and subsequent Office of Management and Budget review would determine when the survey is approved for distribution.

Recommendation: The Secretary of Treasury should take steps to consult with respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level and type of framework adoption by entities across their respective sector. (Recommendation 9)

Agency: Department of the Treasury
Status: Open
Priority recommendation

Comments: The Department of the Treasury neither agreed nor disagreed with the recommendation in our report. The department stated that it will assess using the identified initiatives and their viability for collecting and reporting sector-wide improvements from use of the framework with input from the sector coordinating council (SCC) and financial regulators. However, as of January 2020, the department had yet to develop methods to determine the level and type of framework adoption. Treasury officials stated that the department, in coordination with the Financial and Banking Information Infrastructure Committee, and in consultation with NIST, developed the Cybersecurity Lexicon in March 2018. The lexicon addressed, among other things, common terminology for cyber terms used in the framework. Additionally, the Financial Services sector, in consultation with NIST, created the Financial Service Sector Cybersecurity Profile (profile) in October 2018, which mapped the framework core to existing regulations and guidance, such as the Commodity Futures Trading Commission System Safeguards Testing Requirements. Officials stated that these efforts will facilitate the use of the framework. However, while the department has ongoing initiatives, implementing our recommendations to gain a more comprehensive understanding of the framework's use by critical infrastructure sectors is essential to the success of protection efforts.

Recommendation: The Administrator of NNSA should require an independent entity to validate that contractor EVM systems used for LEPs meet the EVM national standard. (Recommendation 1)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: In October 2018, NNSA stated that the integrated baseline reviews, internal reviews of earned value management (EVM) systems used by life extension programs (LEP), and other controls over data integration provide a practical and cost-beneficial approach to the validation of contractor EVM systems. However, in early 2019, NNSA conducted a lessons learned study to more fully assess the cost, benefit, mission impacts, and feasibility of implementing our recommendation for possible application to future LEPs. According to NNSA documentation, based on the results of the lessons learned study, NNSA concluded that the effort and expense needed to validate contractor EVM systems against the EVM national standard could be better used providing resources to improve the agency's ability to establish work breakdown structures, schedules, and integration of scope, cost, and schedule. As a result, as of September 2019, NNSA stated that its actions meet the intent of our recommendation. We disagree. As we stated in our report, without requiring an independent entity to validate that contractor EVM systems meet the EVM national standard, NNSA may not have assurance that its LEPs are obtaining reliable EVM data for managing their programs and reporting their status. We will continue to monitor NNSA's activities to address this recommendation.

Recommendation: The Administrator of NNSA should require an independent entity to conduct surveillance reviews of contractor EVM systems used for LEPs to ensure that they maintain compliance with the EVM national standard through program completion. (Recommendation 2)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: In October 2018, NNSA stated that it conducts ongoing surveillance through integrated baseline reviews, internal reviews of EVM systems used by LEPs, and other assessments, which consider national standards. However, in early 2019, NNSA conducted a lessons learned study to more fully assess the cost, benefit, mission impacts, and feasibility of implementing our recommendation for possible application to future LEPs. According to NNSA documentation, based on the results of the lessons learned study, NNSA concluded that the effort and expense needed to conduct surveillance reviews of contractor EVM systems to ensure compliance with the EVM national standard could be better used providing resources to improve the agency's ability to establish work breakdown structures, schedules, and integration of scope, cost, and schedule. As a result, as of September 2019, NNSA stated that its actions meet the intent of our recommendation. We disagree. As we stated in our report, without requiring an independent entity to conduct surveillance reviews of contractor EVM systems through program completion, NNSA may not have assurance that its LEPs are obtaining reliable EVM data for managing their programs and reporting their status. We will continue to monitor NNSA's activities to address this recommendation.

Recommendation: The Administrator of NNSA should require its programs to ensure that LEP critical technologies meet specific technology readiness level benchmarks at decision points, or otherwise document with program executive approval their rationale for not meeting these benchmarks. (Recommendation 3)

Agency: Department of Energy: National Nuclear Security Administration
Status: Open

Comments: In October 2018, NNSA stated that it has already incorporated specific benchmarks for technology readiness levels at decision points. As an example, it stated that it recommends a technology readiness level of 5 at the beginning of phase 6.3 for an LEP. As a result, NNSA stated that its actions meet the intent of our recommendation. We disagree. As we stated in our report, it is important for NNSA to establish a requirement, not just a recommendation, that LEP critical technologies meet specific technology readiness level benchmarks at decision points. We will continue to monitor NNSA's activities to address this recommendation.

Recommendation: The Acting Commissioner of Internal Revenue should assess options for improving enforcement of late W-2 filing penalties, for example, by mailing notices before the next filing deadline. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of October 2019, IRS continues to disagree with this recommendation. IRS stated that it does not have all the information required for calculating and sending late penalty notifications prior to the beginning of the next filing season. However, in its response, IRS did not consider other options that could be available prior to finalizing penalty calculations, such as communicating with the employers earlier in the process. As noted in our report, quickly responding to employers that filed late increases the potential for compliance, thereby increasing the availability of W-2 data for systemic verification to detect and prevent fraud and noncompliance. We continue to believe that assessing the options for improving enforcement of late W-2 filing penalties, such as through earlier communication, would help IRS identify potential opportunities to encourage compliance with the W-2 filing deadline and verify more wage information before releasing refunds. We will continue to discuss options with IRS regarding this recommendation.

Recommendation: The Acting Commissioner of Internal Revenue should develop an evaluation plan to fully assess the benefits and costs, including taxpayer burden, of modifying the February 15 refund hold, and determine how this effort informs IRS's overall compliance strategy for refundable tax credits and fraud risk management. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has assessed the benefits of modifying the refund hold, but it has not assessed the costs, as GAO recommended in January 2018. In November 2018, IRS provided its assessment of the February 15 refund hold. In it, IRS reiterated its findings regarding the benefits of the refund hold. These benefits included potential savings if IRS modified the hold to include all taxpayers, extended the hold to a later date when more W-2 data are available, or made both changes. However, IRS did not include any assessment of costs to achieve these potential savings, such as the costs for IRS to review any additional returns that would be identified under a modified refund hold. It did not assess taxpayer burden, either. IRS also did not determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. In January 2019, IRS took actions to hold more returns beyond the February 15 refund hold date using a risk-based selection method. Nevertheless, without a complete assessment of the benefits and costs, including taxpayer burden, IRS is making a decision based upon incomplete information. Further, if Congress or Treasury considered making any changes, they too would have incomplete information on which to direct IRS's actions.

Recommendation: Based on the benefits and costs assessment in Recommendation 3, the Acting Commissioner of Internal Revenue should use IRS's existing authority to modify the refund hold such that it minimizes the risk of releasing fraudulent or noncompliant refunds. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, IRS has taken actions consistent with our recommendations by modifying its filters to hold more returns claiming the Earned Income Tax Credit (EITC) or Additional Child Tax Credit (ACTC) beyond the February 15 refund hold date based on a risk-based selection method. In addition, in May 2019, IRS officials told us they are making similar changes for the 2020 filing season to hold more high-risk returns not claiming EITC or ACTC until W-2 data are available. This action, if taken, would be consistent with our recommendations. In 2018, IRS assessed the benefits of modifying the refund hold, however, it did not assess or document the costs, including taxpayer burden, or determine how the February 15 refund hold informs IRS's overall compliance strategy for refundable tax credits and its fraud risk management strategy. Completing these actions, along with the planned modifications, would fully address our recommendations, which would enable IRS to make decisions based on completed information.

Recommendation: The Acting Commissioner of Internal Revenue should assess the benefits and costs of additional uses and applications of W-2 data for pre-refund compliance checks, such as addressing underreporting, employment fraud, and other fraud or noncompliance before issuing refunds. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided results for a pilot encouraging voluntary compliance through expanded systemic verification using W-2 data. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. If IRS determines that the benefits outweigh the costs of adopting this practice based on the pilot results, or assesses additional options to address other fraud and noncompliance before issuing refunds, it would satisfy our recommendation. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: Based on the assessment in Recommendation 5, the Acting Commissioner of Internal Revenue should implement any identified changes to improve pre-refund compliance checks. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS provided an evaluation of a pilot it conducted during tax year 2019. In the pilot, IRS sent soft notices to a targeted group of taxpayers whose returns under-reported income compared to W-2 data. In its analysis, IRS reported that some taxpayers voluntarily amended their returns after receiving the soft notice, resulting in a net increase in tax revenue. IRS told us they intend to continue the pilot during tax year 2020. We will continue to follow IRS's progress on the pilot and its results.

Recommendation: The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it was in the process of working with the lnteragency Security Committee (ISC) to update its vulnerability assessment program, with a target completion date of January 2019. Despite multiple attempts, as of June 2020, VA has not provided any information on its progress in updating its program.

Recommendation: The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it had identified OS&LE as the internal entity responsible for conducting a complete review of VA's current risk management policies and processes for VA facilities and that it was reviewing an ISC-certified risk assessment tool for possible implementation consideration. Despite multiple attempts, as of June 2020, VA had not provided an update on its efforts to implement this recommendation.

Recommendation: The Commissioner of CBP should develop a monitoring system to help ensure that CBP officials comply with license verification policies and procedures. (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Priority recommendation

Comments: CBP agreed with our recommendation and said they would complete their corrective actions by April 30, 2020. To fully implement it, CBP should develop a monitoring system that observes agency verification of licenses for imported radiological materials to ensure CBP officials are complying with existing policies and procedures.

Recommendation: The Commissioner of CBP should develop a system that better identifies shipments of radiological material that pose the greatest risk and revise CBP's policies and procedures as necessary to verify licenses for these shipments. (Recommendation 3)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Priority recommendation

Comments: CBP agreed with our recommendation and said they would complete their corrective actions by April 30, 2020. To fully implement it, CBP should develop a system to better identify which shipments of radiological material pose the greatest risk and revise their policies and procedures for verification of the licenses for these shipments accordingly.

Recommendation: The Under Secretary of Defense for Personnel and Readiness should fully include in the new policy for sexual harassment the principles in the Centers for Disease Control's framework for sexual violence prevention, including risk and protective factors, risk domains, and tertiary strategies. (Recommendation 1)

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: In written comments on the draft report, DOD concurred with this recommendation. In April 2020, officials with the Office of the Undersecretary of Defense for Personnel and Readiness stated that development of a new sexual harassment prevention strategy was complete and going through DOD's internal review process. The officials stated that the Undersecretary's review and approval of the assessment report will be complete before the end of the fiscal year, September 30, 2020. We will continue to monitor DOD's efforts and update the status of this recommendation as more information becomes available.

Recommendation: The Under Secretary of Defense for Personnel and Readiness should direct the Assistant Secretary of Defense for Readiness to incorporate in its continuum of harm prevention strategy all the elements that are key for establishing a long-term, results-oriented strategic planning framework. The elements are (1) a mission statement, (2) long-term goals, (3) strategies to achieve goals, (4) external factors that could affect goals, (5) use of metrics to gauge progress, and (6) evaluations of the plan to monitor goals and objectives. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: In written comments on the draft report, DOD concurred with this recommendation. According to officials with the Office of the Undersecretary of Defense for Personnel and Readiness, development of a new sexual harassment prevention strategy is complete and the strategy is going through DOD's internal review process. Additionally, a Defense Equal Opportunity Reform Group assessment report containing a review of the department's efforts to prevent sexual harassment was also submitted to the Undersecretary of Defense for Personnel and Readiness. The official's stated that the Undersecretary's review and approval of both the new strategy and assessment report should be completed by the end of the fiscal year, September 30, 2020. We will continue to monitor DOD's efforts to address this recommendation and will update its status when more information becomes available.

Recommendation: The Administrator of CMS should provide fraud-awareness training relevant to risks facing CMS programs and require new hires to undergo such training and all employees to undergo training on a recurring basis. (Recommendation 1)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: The agency agreed with this recommendation. In July 2018, CMS reported that it is strengthening its efforts to ingrain fraud risk management principles throughout the Agency and is developing a training video, module, and curriculum to train staff agency-wide on fraud risks. In November 2019, CMS provided fraud-awareness training videos for new and current CMS employees. GAO requested and is awaiting documentation to show mandatory nature and annual frequency of the training in order to assess the extent to which the training is consistent with leading practices in fraud risk management.

Recommendation: The Administrator of CMS should conduct fraud risk assessments for Medicare and Medicaid to include respective fraud risk profiles and plans for regularly updating the assessments and profiles. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: Agency agreed with this recommendation. In July 2018, CMS reported that it has initiated the fraud risk assessment for some programs in Medicare, including the Medicare Diabetes Prevention Program expanded model. CMS also reported that it is also continuing to draft fraud risk profiles for the Comprehensive End-Stage Renal Disease (ESRD) Care model, the Comprehensive Primary Care Plus model, the permanent Medicare Shared Savings Program, and the new Medicare Beneficiary Identifier. Additionally, CMS reported that it is assessing the Quality Payment Program, established by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), utilizing the GAO fraud risk assessment framework. We will continue to monitor CMS's progress in this area. In November 2019, CMS provided a diagram depicting CMS approach to assessing fraud risks and a document for Home Health Request for Anticipated Payment, stating that fraud risk assessments on Medicare Diabetes Prevention Program and Quality Payment Program are under development. We requested and are awaiting additional information on CMS's approach and plans for conducting fraud risk assessments in Medicare programs, including the reasoning for program selection, overall order, and anticipated timeframes.

Recommendation: The Administrator of CMS should, using the results of the fraud risk assessments for Medicare and Medicaid, create, document, implement, and communicate an antifraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation. (Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: Agency agreed with this recommendation. In November 2019, CMS reported on activities to conduct fraud risk assessments in Medicare programs (see Recommendation 2), however this work is ongoing and the recommendation remains open. Because completion of a fraud risk assessment is necessary before developing an antifraud strategy, this recommendation also remains open. We will continue to monitor CMS's progress in this area.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to establish and document a procedure for the destruction of records contained in electronic systems in accordance with approved disposition schedules. (Recommendation 1)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure staff receive records management training annually. (Recommendation 2)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to conduct the triennial assessment of the FSA records management program. (Recommendation 3)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that privacy impact assessments address all required elements. (Recommendation 4)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that information security-related policies and procedures are reviewed at least annually, in accordance with FSA policy; updated as needed; and approved by security officials. (Recommendation 5)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: The Secretary of Education should update its regulation to include protections of personal information as an element of a school's ability to demonstrate its administrative capability. (Recommendation 7)

Agency: Department of Education
Status: Open

Comments: As of August 2019, FSA stated they have addressed the recommendation, but it is still undergoing an internal review. Once we receive documentation, we will determine if it addresses the recommendation.

Recommendation: GAO recommends that the Director of OMB consider developing a goal that addresses a coordinated federal approach to child well-being among its next set of cross-agency priority (CAP) goals, including working with relevant agencies to ensure their strategic plans include goals and objectives related to the CAP goal. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: OMB neither agreed nor disagreed with this recommendation. In November 2017, OMB staff noted that the agency was developing its next set of CAP goals, which are usually reserved for a limited set of priorities, and expects to announce these goals concurrent with the FY19 budget. As part of the process, agency staff said they consult relevant Congressional committees and other stakeholders. As of September 2019, OMB had not provided an update on its efforts.

Recommendation: The Assistant Secretary of Labor for Occupational Safety and Health should take additional steps to encourage workers to disclose sensitive concerns during OSHA inspections of meat and poultry plants; for example, by considering additional off-site interviews or exploring other options to obtain information anonymously. (Recommendation 1)

Agency: Department of Labor: Occupational Safety and Health Administration
Status: Open

Comments: OSHA stated that it agrees that workers should be able to report injuries, illnesses, and hazards free of intimidation. OSHA noted that its Field Operations Manual prescribes procedures for facilitating the free and open exchange of information, such as conducting onsite worker interviews without management present. OSHA further stated that when workers indicate interest in offsite interviews, the agency will conduct those interviews as prescribed by the Field Operations Manual. We note in our report that because inspectors inform plant management which workers they want to speak with, supervisors know the identity of workers interviewed onsite. Workers and worker advocates we spoke with expressed concerns about this. OSHA told us that inspectors interview meat and poultry workers offsite infrequently, since these interviews can be challenging and take additional time, and OSHA also may be challenged to find an acceptable venue when the employee is available. In June 2020, DOL informed us that OSHA had signed an alliance with several meat and poultry-related industry associations and that they expect this alliance to help improve overall safety and health for the industry's workers. We continue to believe that there are additional steps OSHA can take to better encourage workers to disclose sensitive concerns, and we look forward to learning how OSHA will draw upon this alliance to help take these steps.

Recommendation: The Assistant Secretary of Labor for Occupational Safety and Health should gather more information, such as by asking workers during meat and poultry plant inspections, to determine the extent to which bathroom access is a problem and how to address any identified issues. (Recommendation 2)

Agency: Department of Labor: Occupational Safety and Health Administration
Status: Open

Comments: OSHA stated that meat and poultry workers should have bathroom access as prescribed by the agency's regulations. They noted that if it is observed that processes indicate lack of bathroom access, or if a worker indicates there is an issue, the agency will investigate. Our report identified a mismatch between the concerns we heard from workers about lack of bathroom access and the problems reported by OSHA. We also reported that workers may not volunteer information about lack of bathroom access unless specifically asked. OSHA may choose to address this issue without routinely asking workers about bathroom access, such as by selectively querying workers based on criteria determined by the agency. In June 2020, DOL informed us that OSHA had signed a national alliance with several meat and poultry-related industry associations, and that bathroom access is one of the topics that will be addressed within this alliance, with a goal of developing educational materials. We note that this is a positive step forward, and we continue to stand by our recommendation.

Recommendation: The Assistant Secretary of Labor for Occupational Safety and Health should update its guidance for employers on how to manage their health units to address the challenges of managing these units. (Recommendation 3)

Agency: Department of Labor: Occupational Safety and Health Administration
Status: Open

Comments: In June 2020, DOL informed us that OSHA continues work on updating its guidance for employers on how to manage their health units to address the challenges of managing these units, and that OSHA anticipates initiating clearance of the draft updated guidance in fall 2020. We will consider closing this recommendation when this effort is complete.

Recommendation: The Assistant Secretary of Labor for Occupational Safety and Health should work with FSIS to assess the implementation of the MOU and make any needed changes to ensure improved collaboration; and set specific timeframes for periodic evaluations of the MOU. (Recommendation 4)

Agency: Department of Labor: Occupational Safety and Health Administration
Status: Open
Priority recommendation

Comments: In February 2020, OSHA reported that OSHA and FSIS drafted an updated MOU, which both parties are reviewing. The two agencies met in Summer 2019 to discuss workplace safety, collaboration between the two agencies, and the implementation of the MOU. During a series of working meetings, they discussed each aspect of the MOU, including training and coordination activities. FSIS and OSHA will continue to meet routinely and review the MOU to determine whether adjustments are needed, as appropriate. We will consider closing this recommendation when this effort is complete.

Recommendation: The FSIS Administrator should work with OSHA to assess the implementation of the MOU and make any needed changes to ensure improved collaboration; and set specific timeframes for periodic evaluations of the MOU. (Recommendation 5)

Agency: Department of Agriculture: Food Safety and Inspection Service
Status: Open
Priority recommendation

Comments: FSIS stated that it already has directives in place to recognize and report hazards affecting FSIS employees, and acknowledged that the MOU was designed to additionally have FSIS employees report hazards affecting plant employees due to the regular presence of its inspectors in plants. FSIS noted that in collaborating with OSHA, FSIS will need to ensure its primary mission is not compromised by undertaking activities that take time and resources away from its food safety inspection responsibilities. In January 2019, OSHA reported that it met with FSIS several times to discuss chemical exposures, referrals, and issues of jurisdiction in state plan states. FSIS subsequently shared the results from a NIOSH health hazard evaluation that was conducted, as well as the efforts to track the source of the infected birds. To fully implement this recommendation, FSIS should strengthen the MOU and develop a mechanism to regularly evaluate it would help ensure that the goals of the MOU are met; leveraging FSIS's presence in plants provides the federal government with a cost-effective opportunity to protect worker safety and health.

Recommendation: The FSIS Administrator should develop a process to regularly share the worker safety information it collects during its review of new chemicals with FSIS inspectors, plant management, OSHA, and the Centers for Disease Control and Prevention's National Institute for Occupational Safety and Health (NIOSH). (Recommendation 6)

Agency: Department of Agriculture: Food Safety and Inspection Service
Status: Open

Comments: FSIS stated that the agency already has a process for sharing chemical safety information with its inspectors. However, FSIS has not provided us with evidence that it has shared the worker safety information it collects related to new chemicals, such as safety information that is specific for dilution levels and conditions of use at plants, as noted in the report. FSIS also stated that it would take certain steps to share information about approval of chemicals with other agencies such as OSHA and NIOSH, but the steps identified did not include sharing worker safety information. Incorporating worker safety information would further help enhance this information sharing. FSIS further stated that some of the information collected during its review of new chemicals may be proprietary.

Recommendation: The FEMA Assistant Administrator for Recovery, in coordination with the Associate Administrator of the Federal Insurance and Mitigation Administration, should develop performance measures and associated objectives for the new delivery model to better align with FEMA's strategic goal for hazard mitigation in the recovery process. (Recommendation 5)

Agency: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency: Office of Response and Recovery: Assistant Administrator for Recovery
Status: Open

Comments: FEMA concurred with this recommendation and said it would take steps to implement it. As of September 2018, officials reported completing activities to develop disaster-specific mitigation performance measures that align with strategic goals and analyzed available data to identify the drivers of mitigation in events of various sizes. Due to hiring delays associated with the establishment of the 406 Mitigation Branch, officials have extended the expected completion date for all actions, including proposing refined performance measures to FEMA senior leadership, to the end of January 2019. As of December 2019, GAO is awaiting a response from FEMA on their progress completing these actions.

Recommendation: As the Board of Governors implements plans to develop an ERM framework, it should include a component to identify and assess risks of regulatory capture across the LISCC program. (Recommendation 1)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In September 2020, the Federal Reserve told us the status of their response to this recommendation had remained unchanged since their August 2018 update. In August 2018, the Board of Governors reported to us that it was developing its ERM framework. The Board added that it was establishing a Board Risk Committee (comprised of senior leaders) to oversee its ERM program and serve as the central forum for addressing Board-wide risk issues. The Board also said that it has begun to implement a number of strategic components of the ERM framework. In August 2019, the Board stated that in their view, the ERM framework they are developing would not significantly alter the management processes that the Board and System have in place under the LISCC program that continue to work effectively. The Board reported to us that it has continued to develop the ERM program with guidance of the Board Risk Committee, which meets quarterly, and continues to serve as the central forum for Board-wide risk issues and oversight of the ERM program. In August 2020, the Board added that it would take several years to develop the ERM program. The Board also will continue to implement strategic components of the ERM framework throughout the Board.

Recommendation: The Board of Governors should finalize and implement program-wide guidance for the LISCC Reserve Banks on implementing LISCC policies. (Recommendation 2)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In September 2020, the Federal Reserve told us the status of their response to this recommendation had remained unchanged since their August 2019 update. In August 2019, the Board of Governors told us that the LISCC supervisory program had taken several steps to "finalize and implement program-wide guidance for the LISCC Reserve Banks on implementing LISCC policies." The Board reported that in 2017 it had issued a near-final LISCC program manual, which they said will memorialize all aspects of the LISCC supervisory program. The Board added the updated manual will reflect the results of a self-assessment of the LISCC Program's first full year of operations under the LISCC core program model, and the initial implementation of the new Large Financial Institution Ratings Framework. The Board also said that, since the last update, the LISCC supervisory program's operating policies, procedures, and templates for the conduct of supervisory activities have been completed and implemented.

Recommendation: The Board of Governors should streamline its conflict-of-interest disclosure review process for participants in the LISCC program, such as by storing disclosure information in compatible electronic systems. (Recommendation 4)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In September 2020, the Federal Reserve told us the status of their response to this recommendation had remained unchanged since their August 2018 update. In August 2018, the Board of Governors told us that they were assessing the feasibility of integrating existing electronic systems. They added that they have drafted guidance that develops a LISCC-specific conflicts of interest and examiner credential program that will seek to ensure consistency in the interpretation and application of conflicts of interest rules for all staff, both at the Board and the Reserve Banks, that participate in the LISCC supervisory program. They said that the Board plans to issue this guidance and begin implementation of a more consistent and centralized disclosure review approach in 2018. In addition, they said that they have begun collecting and storing conflicts of interest disclosure information for all LISCC participants, including Board LISCC staff, in one electronic system. They added that they have provided initial training to Board LISCC staff on the disclosure review process and the electronic system to ensure consistent collection of conflicts of interest data for all LISCC participants.

Recommendation: The Board of Governors should systematically collect and maintain information on the institutions supervisory employees work for before they are hired by the Federal Reserve and their employment destination when they leave. (Recommendation 5)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In September 2020, the Federal Reserve told us the status of their response to this recommendation had remained unchanged since their August 2018 update. In August 2018, the Board of Governors told us that they had implemented policies intended to mitigate the risk that an employee may be influenced by prior employment or the prospect of future employment and place their private interests ahead of the organization's supervisory mission. As an example, they said that recently the Federal Reserve broadened the scope of post-employment restrictions applicable to senior examiners. They added that the Board has begun to develop a more systematic approach to collect and monitor pre- and post-employment data through the use of an electronic system. They said that this updated electronic system is scheduled to be released, for both Board and Reserve Banks use, in 2019.

Recommendation: The Board of Governors should conduct a periodic self-assessment of ethics programs, policies, and procedures that apply to LISCC program participants. (Recommendation 6)

Agency: Federal Reserve System: Board of Governors
Status: Open

Comments: In September 2020, the Federal Reserve told us the status of their response to this recommendation had remained unchanged since their August 2018 update. In August 2018, the Board of Governors told us that their Ethics program staff and Supervision & Regulation staff are jointly assessing the current ethics programs, policies, and procedures applicable to LISCC program participants. The Federal Reserve expects to finalize and implement new conflicts of interest policies and procedures applicable to LISCC participants in 2019.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The U.S. Customs and Border Protection issued an updated Physical Security Policy and Procedures Handbook in January 2020, which includes a series of internal controls and physical security performance measures. We have reviewed the handbook and requested additional information from CBP to determine whether it meets ISC's Risk Management Process for Federal Facilities.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) has developed, initially tested, and deployed a risk assessment methodology that aligns with the Interagency Security Committee Risk Management Process for Federal Facilities. In August and September of 2019, FAA trained some staff on the new methodology, which is being integrated into the facility security reporting system. After resolving any software compatibility issues, completing all necessary testing and training, and issuing the associated security policy, FAA expects to fully implement the methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) drafted an updated facility security policy and distributed it for comment in October 2019. It received over 300 comments that are currently being addressed. Once completed, the policy is to incorporate a methodology that fully aligns with the Interagency Security Committee Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. FAA plans to publish the new policy to coincide with the implementation of its risk-assessment methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration's (FAA) update of its facility security policy and its associated databases should help to improve the monitoring and use of physical security information to better assist with risk assessment decision-making. In February 2020, FAA officials said that its facility security reporting system is to be improved with new metrics and executive level reporting. Such improvements are to result in increased program oversight, risk awareness, and mitigation planning. These improvements are to be completed by December 31, 2020 to coincide with full implementation of the components of the risk management framework, such as the risk assessment methodology, personnel training, and policy publication.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture is drafting a revised physical-security regulation and manual that is to align with risk management processes, including a tracking and monitoring component. It expects to implement a revised process by the end of 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture (USDA) recognizes the need to develop and implement a database to track and monitor physical security assessment schedules across all of its components. As a result, USDA plans to request funding in the President's Budget for fiscal year 2021 to design and build such a database. If sufficient funding is secured and development efforts go as planned, the agency anticipates having the database operational by the end of 2021.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the Defense Contract Management Agency (DCMA) and the military departments, should assess whether risk mitigation actions have been identified in the event of a loss of each task critical assets (TCA) facility in the defense industrial base and, based on this assessment, develop risk mitigation actions with associated implementation plans and time lines, and provide this information to congressional and DOD decision makers. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. In June 2019, DOD provided follow up information and identified key corrective actions for recommendations from this report. The key corrective actions identified for this recommendation include the issuance of the mission assurance instruction in August 2018 that guides the identification, prioritization, and assessment of defense critical infrastructure. Further, Executive Order 13806 required that DOD perform a whole-of-government assessment of the manufacturing and the defense industrial base, assess risk, identify impacts, and propose mitigation strategies. DOD issued the resulting report in October 2018, which includes a focus on numerous single source and sole supply risks. Lastly, DOD officials stated that DOD senior leadership and Congress were briefed in May 2019 on investments planned to reduce risks and updates will be included in an annual Industrial Capabilities Report to Congress. DOD placed considerable focus on defense industrial base issues in the past year, we will review the next annual report to ensure this focus is continued and that detailed information on DOD's industrial base risks and task critical assets is provided to DOD and Congressional decision makers.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should provide congressional and DOD decision makers with information on potential effects on defense capabilities in the event of a loss of each TCA facility in the defense industrial base. (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. In June 2019, DOD provided follow up information and identified key corrective actions for recommendations from this report. The key corrective actions identified for this recommendation include a description of the mission assurance process and the annual report on the industrial capabilities that were already in place at the time of issuance of this report, therefore do not represent a change or response to this recommendation. Another key corrective action identified is the issuance of the report in response to the Executive Order 13806 in October 2018, which provides a whole of government assessment of the defense industrial base risks and impacts and associated Hill briefing. DOD placed considerable focus on defense industrial base issues in the past year as a result of the Executive Order, we will review the next annual report to ensure this focus is continued and that detailed information on DOD's industrial base risks and task critical assets is provided to DOD and Congressional decision makers.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should provide congressional and DOD decision makers with information on DOD organic facilities that have been identified as TCAs, similar to the information provided previously on commercial facilities. This information also should include (1) the potential effects on defense capabilities in the event of a loss of the facility and (2) risk mitigation actions and associated implementation plans with time lines. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. In June 2019, DOD provided follow up information and identified key corrective actions for recommendations from this report. The key corrective actions identified for this recommendation include the mission assurance process that was already in place at the time of the issuance of this report, which does not reflect a change in response to this recommendation. However, other key corrective actions identified include the identification of several DOD-owned assets in the report DOD issued in response to Executive Order 13806 in October 2018. Further, DOD states that it will provide yearly updates to Congress in its Industrial Capabilities report. Lastly, the corrective actions state that DOD will continue to execute risk mitigation identified in its October 2018 report. DOD placed considerable focus on defense industrial base issues in the past year as a result of the Executive Order, we will review the next annual report to ensure this focus is continued and that detailed information on DOD's industrial base risks and task critical assets is provided to DOD and Congressional decision makers.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should take steps to share information on risks identified through the annual Critical Asset Identification Process with relevant program managers or other designated service or program officials. At a minimum, relevant officials should receive information on the most critical facilities (such as TCAs) that produce parts supporting their programs. This information-sharing could occur through service-specific channels of communication or another method of internal communication deemed appropriate by DOD. (Recommendation 4)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. As of August 2018, DOD officials stated that they are in the process of developing proactive steps to share information on risks identified through the annual CAIP with relevant program managers, or other designated service or program officials as necessary. However, in June 2019, DOD shared the key corrective actions identified for this recommendation, which include a description of the mission assurance process that was already in place at the time of issuance of this report, therefore do not represent a change or response to this recommendation. It further states that the Critical Asset Identification Process is addressed in semi-annual Joint Industrial Base Working Group meetings, which are attended by all service and agency industrial base representatives. As of November 2019, DOD officials did not respond to a request for more detail, we will continue to assess DOD's actions.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the military departments, should develop a mechanism to ensure that program offices obtain information from contractors on single source of supply risks. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. As of August 2018, DOD officials stated that assessing the health of the defense industrial base and associated supply chains was the focus of an Executive Order issued in July 2017 and that the resulting inter-agency report will be released within the next year. DOD officials stated that the issuance of this report will provide significant information towards addressing this recommendation. However, in June 2019, DOD provided key corrective actions for this recommendation, which stated that multiple services and agencies began in 2018 to incorporate contracting language to require prime contractors to track and provide sub-tier data and that this effort will expand to cover more programs. Further, it states that in the Industrial Base Integrated Data System, suppliers are indicated as either single or sole source suppliers and that the services and agencies have access to this list. As of November 2019, DOD officials did not respond to a request for more detail, we will continue to assess DOD's actions.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the military departments, should issue department-wide DMSMS policy, such as an instruction, that clearly defines requirements of DMSMS management and details responsibilities and procedures to be followed by program offices to implement the policy. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. The DOD official that is the lead for the Diminishing Manufacturing Sources and Material Shortages (DMSMS) program stated that as of July 2019, the department has completed the draft DMSMS instruction and accompanying manual that details program requirements, responsibilities, and procedures to be followed. The draft instruction is undergoing legal review and the official expects the instruction and manual to be issued by December 2019. As of November 2019, this recommendation will remain open and we will review the instruction once issued.

Recommendation: The appropriate entities within the Executive Office of the President, including the Council on Environmental Quality, Office and Management and Budget, and Office of Science and Technology Policy, should use information on the potential economic effects of climate change to help identify significant climate risks facing the federal government and craft appropriate federal responses. Such responses could include establishing a strategy to identify, prioritize, and guide federal investments to enhance resilience against future disasters. (Recommendation 1)

Agency: Executive Office of the President
Status: Open

Comments: As of July 14, 2020, the Executive Office of the President has yet to take action on this recommendation.

Recommendation: The DHS Under Secretary for Management should develop and implement effective processes and improve guidance to reasonably assure that future AAs fully follow AOA process best practices and reflect the four characteristics of a reliable, high-quality AOA process. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: DHS stated that it remains committed to its financial system modernization program and agrees that effective processes and guidance are necessary to assure best practices. In September 2020, DHS officials informed us that they did not have any updates to report on efforts to address this recommendation. We will continue to follow-up with DHS on actions to address this recommendation.

Recommendation: The DHS Under Secretary for Management should improve the Risk Management Planning Handbook and other relevant guidance for managing risks associated with financial management system modernization projects to fully incorporate risk management best practices, including (1) defining thresholds to facilitate review of performance metrics to determine when risks become unacceptable; (2) identifying and analyzing risks to include periodically reconsidering risk sources, documenting risks specifically related to the lack of sufficient, reliable cost and schedule information needed to help properly manage and oversee the project, and timely disposition of IV&V contractor-identified risks; (3) developing risk mitigation plans with specific risk-handling activities, the costs and benefits of implementing them, and contingency plans for selected critical risks; and (4) implementing risk mitigation plans to include establishing periods of performance for risk-handling activities and defining time intervals for updating and certifying the accuracy and completeness of information on risks in DHS's risk register. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: DHS stated that it is committed to its financial system modernization program and agrees that effective processes and guidance are necessary to assure best practices. In September 2019, DHS provided documentation that cross walked DHS' Risk Management Training Aide to the Capability Maturity Model Integration (CMMI) for acquisition risk management best practices. However, the optional nature of the language used in the Training Aide does not reasonably assure that program offices will follow the suggested guidance. Also, the Training Aide does not specifically require the linking of thresholds to cost, schedule, and performance elements of identified risks. Based on our review of the information provided, DHS's corrective actions were not sufficient for addressing the intent of our recommendation. We will continue to evaluate DHS actions to address this recommendation.

Recommendation: The Administrator of TSA should explore and pursue methods to assess the deterrent effect of TSA's passenger aviation security countermeasures; such an effort should identify FAMS—a countermeasure with a focus on deterring threats—as a top priority to address. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and has begun taking steps intended to address it. In May 2018, officials with DHS's Requirements and Capabilities Analysis (RCA) reported conducting a literature review to identify ways DHS might be able to measure deterrence. ORCA officials reported looking to published studies and other agencies to identify data sources and methods, and were in the process of developing a model to assess the deterrent value of various aviation security countermeasures. In July 2019, TSA officials reported that they were continuing to develop this model which could better inform deployment of deterrence-related countermeasures. As of October 2020, DHS has provided no further updates on steps taken to implement this recommendation. To fully address this recommendation, TSA will need to fully develop this or another method to assess the deterrent effect of TSA's aviation security countermeasures.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to take steps needed to ensure that system requirements are defined to align with the business needs of CNCS's future risk-based grants monitoring process (Recommendation 1).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the Grants and Member Management (GMM) system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a commercial off-the-shelf (COTS) application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet defined requirements for the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that the system development project schedule identifies in the baseline both planned and actual dates for completing all project-level activities, and can be used to monitor and measure progress of the grant monitoring system project (Recommendation 2).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the GMM system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a COTS application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet established a project schedule for completing the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: The Chief Executive Officer should direct the Chief Information Officer to ensure that test plans are defined and implemented to include the second version of the grant monitoring system in all stages of testing during development, and results of initial stages are approved before conducting subsequent test stages (Recommendation 3).

Agency: Corporation for National and Community Service
Status: Open

Comments: In November 2018, CNCS officials stated that the agency made the decision to terminate the development of the GMM system. They subsequently awarded a contract to assess the state of development for the GMM system and to provide recommendations on the actions CNCS needed to take in order to implement a COTS application for core grants management functions. According to CNCS officials, based on the findings from that assessment, further investments in developing customized applications (even an implementation of a COTS application) were not likely to be successful. As of September 2019, CNCS officials stated that they were pursuing the option of a federal shared service as a solution to grants management. As of November 2019, according to CNCS officials, the agency had not yet established a timeframe to define test plans for the selected solution for the grant monitoring system project because the decision to pursue the federal shared services as a solution for grants management is very recent. CNCS officials agreed to provide GAO with an update as further progress is made on this recommendation.

Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

Agency: Department of Homeland Security
Status: Open

Comments: We reported that the Department of State and DHS's U.S. Citizenship and Immigration Services (USCIS) have not jointly assessed applicant fraud risks across the U.S. Refugee Admissions Program (USRAP), consistent with federal internal control standards and leading practices for fraud risk management. Specifically, we reported that although State and USCIS perform a number of fraud risk management activities and have responded to individual instances of applicant fraud in the program, these efforts do not position State and USCIS to assess fraud risks program-wide for USRAP or know if their controls are appropriately targeted to the areas of highest risk in the program. Therefore, we recommended that the Secretaries of Homeland Security and State conduct regular joint assessments of applicant fraud risk across USRAP. USCIS concurred with our recommendation. In response, State reported that it will work together with USCIS to conduct joint risk assessments by jointly developing a risk assessment framework. According to DHS and State documentation, the departments finalized a joint framework in January 2018. In February 2019, DHS and State provided us with the interim progress report on their efforts to conduct an assessment of applicant fraud risk across USRAP. In June 2019, USCIS reported that DHS and State have completed the planned analysis and the draft report is being prepared for leadership review and clearance. DHS estimated that the report will be completed by September 30, 2020. To fully address the recommendation, State and USCIS should jointly conduct regular fraud risk assessments across USRAP.

Recommendation: To provide reasonable assurance that USRAP applicant fraud prevention and detection controls are adequate and effectively implemented, the Secretaries of Homeland Security and State should conduct regular joint assessments of applicant fraud risk across USRAP.

Agency: Department of State
Status: Open

Comments: We reported that the Department of State and DHS's U.S. Citizenship and Immigration Services (USCIS) have not jointly assessed applicant fraud risks across the U.S. Refugee Admissions Program (USRAP), consistent with federal internal control standards and leading practices for fraud risk management. Specifically, we reported that although State and USCIS perform a number of fraud risk management activities and have responded to individual instances of applicant fraud in the program, these efforts do not position State and USCIS to assess fraud risks program-wide for USRAP or know if their controls are appropriately targeted to the areas of highest risk in the program. Therefore, we recommended that the Secretaries of Homeland Security and State conduct regular joint assessments of applicant fraud risk across USRAP. USCIS concurred with our recommendation. In response, State reported that it will work together with USCIS to conduct joint risk assessments by jointly developing a risk assessment framework. According to DHS and State documentation, the departments finalized a joint framework in January 2018. In February 2019, DHS and State provided us with the interim progress report on their efforts to conduct an assessment of applicant fraud risk across USRAP. In June 2019, USCIS reported that DHS and State have completed the planned analysis and the draft report is being prepared for leadership review and clearance. DHS estimated that the report will be completed by September 30, 2020. To fully address the recommendation, State and USCIS should jointly conduct regular fraud risk assessments across USRAP.

Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.

Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.

Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

Agency: National Gallery of Art
Status: Open

Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. In February 2019, the National Gallery approved the Office of Protection Services' 5-year strategic plan, which included goals for security. However, as of June 2020, work to establish performance measures was not yet complete. We will continue to monitor the National Gallery's progress in implementing this recommendation

Recommendation: To reduce the cost of delivering the crop insurance program, Congress should consider repealing the 2014 farm bill requirement that any revision to the standard reinsurance agreement not reduce insurance companies' expected underwriting gains, and directing the Risk Management Agency to, during the next renegotiation of the agreement, (1) adjust the participating insurance companies' target rate of return to reflect market conditions and (2) assess the portion of premiums that participating insurance companies retain and, if warranted, adjust it.

Agency: Congress
Status: Open

Comments: As of March 2020, Congress has not taken action to implement this matter.

Recommendation: To reduce year-to-year fluctuations in the administrative and operating expense subsidies that companies receive at the crop, state, and county levels, the Secretary of Agriculture should direct the Administrator of the Risk Management Agency to consider adjusting the administrative and operating expense subsidy calculation method in a way that reduces the effects of changes in premiums caused by changes in crop prices or other factors when it renegotiates the standard reinsurance agreement.

Agency: Department of Agriculture
Status: Open

Comments: As of March 2020, the Department of Agriculture has not taken action to implement this recommendation.

Recommendation: The Commissioner of CBP should identify and collect additional performance information on the impact of the ISF rule data, such as the identification of shipments containing contraband, to better evaluate the effectiveness of the ISF program.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In March 2018, the CBP liaison informed GAO that offices within CBP are collaborating on a plan to assess additional performance metrics to evaluate the effectiveness of the ISF program. On June 13, 2018, the CBP liaison stated that CBP staff continue to work on additional performance metrics to evaluate the effectiveness of the ISF program and noted, in particular, are analyzing data to: (1) identify the number of unmanifested containers and determine how/if they were mitigated before arrival; (2) determine the number of times C-TPAT companies were identified and given targeting benefits, but did not receive the same treatment based on manifest information; and (3) identify the number of times potential terrorism matches were made against an ISF entities vs. the number of times not matched using the same manifest data. In March 2019, the CBP liaison stated that the new estimated completed date for this recommendation is the end of 2019. This recommendation will remain open until CBP's planned actions are completed and meet the intent of GAO's recommendation. In late February 2020, CBP liaison staff informed GAO that they are continuing to work on this recommendation, which they expect to complete by March 31, 2020.

Recommendation: To more fully address stakeholder concerns and help ensure FirstNet's resources reflect expected changes in responsibilities, FirstNet should request that the Public Safety Advisory Committee's Tribal Working Group fully explore tribal concerns and propose actions, as needed, to address those concerns.

Agency: Department of Commerce: National Telecommunications and Information Administration: First Responder Network Authority
Status: Open

Comments: As of March 2020, FirstNet had taken some action in response to this recommendation but had not fully implemented it. Once we confirm that FirstNet has taken additional action, we will provide updated information.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

Agency: Department of Homeland Security
Status: Open

Comments: In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

Agency: Department of Homeland Security
Status: Open

Comments: In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.

Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Recommendation: To enhance DOE's ability to make risk-based decisions for the treatment of Hanford supplemental LAW, Congress should consider clarifying, in a manner that does not impair the regulatory authorities of EPA and the state of Washington, DOE's authority at Hanford to determine, in consultation with NRC, whether portions of the supplemental LAW can be managed as a waste type other than high-level waste.

Agency: Congress
Status: Open

Comments: As of March 2020, Congress is continuing to consider whether to implement this Matter.

Recommendation: To help ensure that DOE's treatment of Hanford's supplemental LAW is risk based and cost effective, the Secretary of Energy should develop updated information on the effectiveness of treating and disposing of all the different portions of Hanford's supplemental LAW with alternate methods or at alternate disposal sites, and based on this information, identify potential treatment and disposal pathways for different portions of Hanford's supplemental LAW, considering the risks posed by the LAW. In implementing this recommendation, DOE should take into account the results of the analysis required by Section 3134 of the National Defense Authorization Act for Fiscal Year 2017.

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: As of January 2020, DOE is taking steps to implement GAO's May 2017 recommendation. In 2017, DOE's Office of River Protection contracted with Savannah River National Laboratory, a federally funded research and development center, to evaluate viable treatment options for supplemental low-activity waste. According to DOE, the National Academies of Sciences, Engineering, and Medicine conducted a peer review of that laboratory's evaluation. The laboratory issued a final report in October 2019, and the National Academies issued a final report in late March 2020. According to DOE officials, both reports include information DOE may be able to use in making a decision about treating supplemental low-activity waste. DOE told GAO that they plan to use the studies as scoping documents as they move forward with the decision process. According to DOE officials, as of January 2020, DOE plans to decide how it will treat supplemental low-activity waste by 2026. In addition, in response to GAO's May 2017 recommendation, DOE said it successfully completed the first phase of a project--called the Test Bed Initiative--in December 2017 to demonstrate the feasibility of grouting, transporting, and disposing of three gallons of Hanford's low-activity waste at an alternate disposal site in Andrews, Texas. As of November 2018, DOE was beginning a second phase to demonstrate the feasibility of grouting, transporting, and disposing of 2,000 gallons of Hanford's low-activity waste at the same site in Texas. However, DOE stopped the demonstration project in spring 2019 when it withdrew its permit application for the Test Bed Initiative. According to DOE officials, this was because the State of Washington Department of Ecology (Ecology) proposed that DOE and Ecology engage in negotiations to develop a "holistic and realistic" approach to the retrieval and treatment of Hanford's tank waste. Congressional appropriations committees directed that DOE could spend up to $10 million to continue the Test Bed Initiative in fiscal year 2020, but DOE officials do not have specific plans for resuming the initiative. In October 2018, DOE requested public comment on a new interpretation of the statutory term "high level waste," which if the agency adopts it, could facilitate the use of alternate treatment and disposal methods. The National Defense Authorization Act for Fiscal Year 2020 prohibits DOE from spending its fiscal year 2020 funds on applying this high-level radioactive waste interpretation at Hanford, and as a result, DOE officials stated that DOE does not have near-term plans to use this high-level waste interpretation for supplemental low-activity waste at Hanford. Until DOE develops information that reflects what is now known about the performance of alternate treatment and disposal methods, such as immobilizing tank waste in grout, congressional and agency decision makers will not have access to current scientific information as they decide how to best allocate limited financial resources among many competing needs. Moreover, having updated information on the effectiveness of alternate methods for treating supplemental low-activity waste will help to inform DOE's discussions with the state of Washington.

Recommendation: To help ensure that DOE's treatment of Hanford's supplemental LAW is risk based and cost effective, the Secretary of Energy should have an independent entity develop updated information on the lifecycle costs of treating and disposing of Hanford's supplemental LAW with alternate methods or at alternate disposal sites. In implementing this recommendation, DOE should take into account the results of the analysis required by Section 3134 of the National Defense Authorization Act for Fiscal Year 2017.

Agency: Department of Energy
Status: Open

Comments: As of January 2020, DOE is taking steps to implement GAO's May 2017 recommendation. In 2017, DOE's Office of River Protection contracted with Savannah River National Laboratory, a federally funded research and development center, to evaluate viable treatment options for supplemental low-activity waste. According to DOE, the National Academies of Sciences, Engineering, and Medicine conducted a peer review of that laboratory's evaluation. The laboratory issued a final report in October 2019, and the National Academies issued a final report in late March 2020. According to DOE officials, both reports include information DOE may be able to use in making a decision about treating supplemental low-activity waste. DOE told GAO that they plan to use the studies as scoping documents as they move forward with the decision process. According to DOE officials, as of January 2020, DOE plans to decide how it will treat supplemental low-activity waste by 2026. In addition, in response to GAO's May 2017 recommendation, DOE said it successfully completed the first phase of a project--called the Test Bed Initiative--in December 2017 to demonstrate the feasibility of grouting, transporting, and disposing of three gallons of Hanford's low-activity waste at an alternate disposal site in Andrews, Texas. As of November 2018, DOE was beginning a second phase to demonstrate the feasibility of grouting, transporting, and disposing of 2,000 gallons of Hanford's low-activity waste at the same site in Texas. However, DOE stopped the demonstration project in spring 2019 when it withdrew its permit application for the Test Bed Initiative. According to DOE officials, this was because the State of Washington Department of Ecology (Ecology) proposed that DOE and Ecology engage in negotiations to develop a "holistic and realistic" approach to the retrieval and treatment of Hanford's tank waste. Congressional appropriations committees directed that DOE could spend up to $10 million to continue the Test Bed Initiative in fiscal year 2020, but DOE officials do not have specific plans for resuming the initiative. In October 2018, DOE requested public comment on a new interpretation of the statutory term "high level waste," which if the agency adopts it, could facilitate the use of alternate treatment and disposal methods. The National Defense Authorization Act for Fiscal Year 2020 prohibits DOE from spending its fiscal year 2020 funds at Hanford on this high-level radioactive waste interpretation, and as a result, DOE officials stated that DOE does not have near-term plans to use this high-level waste interpretation for supplemental low-activity waste at Hanford. Until DOE develops information that reflects what is now known about the costs of alternate treatment and disposal methods, such as immobilizing tank waste in grout, congressional and agency decision makers will not have access to current cost information as they decide how to best allocate limited financial resources among many competing needs.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to assess and document how the alternative technological solutions being considered will fully meet operational needs related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it plans to assess and document requirements related to ultralight aircraft threats and how technological solutions will address these requirements as part of U.S. Customs and Border Protection (CBP) Air and Marine Operations (AMO) air domain awareness efforts. In March 2018, CBP completed an Air Domain Awareness Capability Analysis Report that identifies current capability gaps, including those related to ultralight aircraft. CBP stated that it plans to build upon the Capability Analysis Report to identify mission needs, a concept of operations, and operational requirements to address ultralight aircraft and other threats in the air domain. In February 2020, AMO reported that, in 2019, it conducted a technical assessment of one technology and plans to assess other systems in 2020 and 2021 to help determine if they fit into AMO's larger strategic vision for persistent wide area surveillance to address ultralight aircraft and other threats in the air domain. To fully address our recommendation, CBP should assess and document how alternative solutions will meet operational requirements related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP and the Director of ICE to jointly establish and monitor performance measures and targets related to cross-border tunnels.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement will review available information and develop performance measures and targets as deemed appropriate. As of March 2020, CBP and ICE have not reported taking any actions to develop performance measures and targets. To fully address our recommendation, CBP and ICE should establish and monitor performance measures and targets related to cross-border tunnels.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to establish and monitor performance targets related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred and stated that within U.S. Customs and Border Protection (CBP), Air and Marine Operations and the U.S. Border Patrol are developing a joint performance measure and targets for interdicting ultralight aircraft. However, in December 2019, CBP reported that it will no longer pursue establishing a performance measure because it found that the ultralight aircraft interdiction rate fluctuated year to year, and that the number of ultralight aircraft incidents had been trending downward. Subsequently, in September 2020, CBP officials stated that they had reinitiated efforts to develop a performance measure and target in response to our continued belief that they can be set and would help CBP monitor performance to ensure that technology investments and operational responses to address ultralight aircraft are effective. To fully address our recommendation, CBP should establish a measure and monitor performance related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the U.S. Customs and Border Protection (CBP)-U.S. Immigration and Customs Enforcement (ICE) tunnel committee to convene and establish standard operating procedures for addressing cross-border tunnels, including procedures for sharing information.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. However, CBP and ICE agreed that strengthening operational procedures may be beneficial and stated that they will jointly review procedures and discuss revising and/or consolidating the procedures. In May 2018, CBP stated that it is looking for opportunities to standardize procedures for the detection, interdiction, mapping, and remediation of cross-border tunnels. To this end, CBP has plans to develop a standardized training on tunnel identification and tactics, techniques, and procedures for different types of tunnels. In addition, CBP is working to develop a consistent process that will facilitate coordination and collaboration with ICE. In March 2019, CBP reported that CBP and ICE have begun to routinely meet to collectively develop processes for using tunnel robotics, including processes to enhance communication between CBP and ICE. In September 2020, CBP and ICE reported that they do not plan to take any additional steps to address this recommendation. To fully address our recommendation, CBP and ICE should establish standardized procedures for addressing tunnels, including procedures for sharing information with one another.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commandant of the Coast Guard, Commissioner of CBP, and the Director of ICE to establish and monitor Regional Coordinating Mechanisms performance measures and targets related to panga boat and recreational vessel smuggling.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. DHS stated that that it believes that by establishing common terminology to address our first recommendation, the RECOMs will have more reliable, usable analyses to inform their maritime interdiction efforts. However, DHS did not believe that performance measures and targets related to smuggling by panga boats would provide the most useful strategic assessment of operations to prevent all illicit trafficking, regardless of area of operations or mode of transportation. DHS also cited the recent creation of the DHS Office of Policy, Strategy, and Plans that is to work with U.S. Coast Guard, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and other components and offices to better evaluate the effectiveness of all operations that work to prevent the illegal entry of goods and people into the country, as appropriate. In February 2020, DHS reported that the department had not taken any further actions to implement this recommendation. We continue to believe that the recommendation is valid and will monitor any actions DHS takes that are responsive to it. For example, in response to a requirement in the National Defense Authorization Act for Fiscal Year 2017, DHS issued reports in May 2018, February 2019, and August 2020 that contain metrics and planned metrics to measure the effectiveness of border security in the maritime environment and other domains. Planned metrics that DHS does not yet have a methodology to measure across all components include situational awareness in the maritime environment, illicit drugs removal rate, and DHS maritime threat response rate. To fully address our recommendation, DHS should measure its performance related to smuggling across U.S. maritime borders.

Recommendation: As Congress considers reauthorizing NFIP, it should consider comprehensive reform to improve the program's solvency and enhance the nation's resilience to flood risk, which could include actions in six areas: (1) addressing the current debt, (2) removing existing legislative barriers to FEMA's revising premium rates to reflect the full risk of loss, (3) addressing affordability, (4) increasing consumer participation, (5) removing barriers to private-sector involvement, and (6) protecting NFIP flood resilience efforts. In implementing these reforms, Congress should consider the sequence of the actions and their interaction with each other.

Agency: Congress
Status: Open

Comments: As of July 2020, Congress has not passed comprehensive reform of NFIP, but Congress is considering various reforms as it works to reauthorize the program. We will review the status of this item if and when such legislation passes.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2019, DHS provided the National Counterterrorism Strategy as evidence that the department is including terrorism prevention as a necessary tool to meet its missions. While the strategy discusses terrorism prevention, it does not include specific activities or efforts, identify the agencies that will lead these efforts, or describe measurable outcomes for these efforts. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DHS's progress in this area as it develops its plan.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to develop a cohesive strategy that includes measurable outcomes for CVE activities.

Agency: Department of Justice
Status: Open

Comments: As of August 2019, DOJ has not provided a response to our recommendation. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DOJ's involvement in these efforts as DHS it develops its plan.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

Agency: Department of Homeland Security
Status: Open

Comments: In April 2019, DHS provided a commissioned review of CVE programs and activities that was expected to help identify ways to measure their effectiveness. The report provides a broad assessment of past activities and suggestions for measures and metrics going forward, but does not establish a process for agencies to measure the success of their activities or overall progress of CVE efforts. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DHS's progress in this area as it develops its plan.

Recommendation: To help identify what domestic CVE efforts are to achieve and the extent to which investments in CVE result in measureable success, the Secretary of Homeland Security and the Attorney General--as heads of the two lead agencies responsible for coordinating CVE efforts--should direct the CVE Task Force to establish and implement a process to assess overall progress in CVE, including its effectiveness.

Agency: Department of Justice
Status: Open

Comments: As of August 2019, DOJ has not provided a response to our recommendation. In June 2019, DHS indicated that CVE-style prevention work would fall under a newly formed Office for Targeted Violence and Terrorism Prevention under which it will be part of a broad counterterrorism strategy that DHS plans to have ready by this fall. We will continue to monitor DOJ's involvement in these efforts as DHS develops its plan.

Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in the movement of Marine Corps units by, for example, reconsidering when units should move to Guam to minimize leaving facilities vacant.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation and stated that the Marine Corps' plans for the movement of units from Okinawa to Guam has considered many factors, including, among others, the capabilities required to support Pacific Command and the logistical requirements associated with the movement of forces. In March 2020, DOD stated that the Marine Corps and Pacific Command have done extensive planning and analysis to determine how best to posture, move, and support distributed III Marine Expeditionary Force Marines. However, as of May 2020, DOD has not provided documentation of this analysis. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in training needs in Iwakuni, Hawaii, and CNMI by, for example, identifying other suitable training areas.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation and stated that it has already conducted an extensive analysis of training needs. As of May 2020, DOD has not provided documentation of actions the agency has taken in response to this recommendation. We continue to believe the recommendation is valid and will monitor DOD's efforts to address it.

Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in reduction in runway length at the Futenma Replacement Facility by, for example, selecting other runways that would support mission requirements.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of March 2020, DOD had not identified any additional runways and stated that this is a Government of Japan responsibility. As of May 2020, DOD has not provided documentation of actions the agency has taken in response to this recommendation. We continue to believe the recommendation is valid and will monitor DOD's efforts to address it.

Recommendation: To improve the Department of Defense's ability to maintain its capability in the Asia-Pacific region, the Secretary of Defense should direct the appropriate entities to resolve selected identified capability deficiencies associated with the relocation in challenges in Australia regarding seasonal changes and biosecurity requirements that affect equipment downtime by, for example, deciding on a location for the wet season and identifying a solution for biosecurity requirements.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of March 2020, DOD stated that no new decisions have been made regarding the Australia rotation. As of May 2020, DOD has not provided documentation of actions the agency has taken in response to this recommendation. We continue to believe the recommendation is valid and will monitor DOD's efforts to address it.

Recommendation: To provide DOD with reliable information on potential sources of delays for the design and construction of infrastructure in Guam, the Secretary of Defense should direct the appropriate entities to update the Marine Corps' integrated master schedule for Guam so that it meets the comprehensive, well-constructed, and credible characteristics for a reliable schedule. For example, the update to the schedule should include resources for nonconstruction activities.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In March 2020, DOD stated that the updated integrated master schedule for Guam conforms to the GAO Schedule Assessment Guide and accounts for the best practices of a reliable schedule. However, as of May 2020, we have not received an updated integrated master schedule that meets the criteria for a reliable schedule.

Recommendation: To provide DOD and Congress with more-reliable information to inform funding decisions associated with the relocation of Marines to Guam, the Secretary of Defense should direct the appropriate entities to revise the cost estimates for Guam to address all best practices established by GAO's cost estimating guide. Specifically, the revisions to the cost estimates should include: a unifying Work Breakdown Structure, risk and sensitivity analyses, and an independent cost estimate.

Agency: Department of Defense
Status: Open

Comments: DOD nonconcurred with this recommendation. In March 2020, DOD stated that the department does not accept the assertion that GAO's best practices for cost estimates are universally applicable to a wide range of activities that includes military construction, acquisition, or basing. As of May 2020, DOD has not provided documentation of actions the agency has taken in response to this recommendation. We continue to believe the recommendation is valid and will monitor DOD's efforts to address it.

Recommendation: To provide DOD and Congress with more-reliable information to inform funding decisions associated with the relocation of Marines to Hawaii and the establishment of a rotational presence in Australia, the Secretary of Defense should direct the appropriate entities to revise the DOD cost estimates for Hawaii to address all best practices for the comprehensive characteristic established by the GAO cost estimating guide, specifically to capture entire life-cycle costs and develop a Work Breakdown Structure.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of March 2020, DOD stated that it continues to update its cost estimates for the Hawaii program in line with GAO's cost estimating guide but did not agree that detailed cost estimates are required at this early planning stage to make decisions in the 2026 timeframe and beyond. As of May 2020, DOD has not provided documentation of actions the agency has taken in response to this recommendation. We continue to believe the recommendation is valid and will monitor DOD's efforts to address it.

Recommendation: To provide DOD and Congress with more-reliable information to inform funding decisions associated with the relocation of Marines to Hawaii and the establishment of a rotational presence in Australia, the Secretary of Defense should revise the DOD cost estimates for Australia to address all best practices for the comprehensive characteristic established by the GAO cost estimating guide, specifically to capture entire life-cycle costs and develop a Work Breakdown Structure.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. As of March 2020, DOD stated that it continues to update its cost estimates for the Australia program in line with GAO's cost estimating guide. However, DOD stated that since Australia will build or provide much of the infrastructure enhancements in support of the Marine Corps, cost estimates will not incorporate the construction costs. As of May 2020, DOD has not provided documentation of actions the agency has taken in response to this recommendation. We continue to believe the recommendation is valid and will monitor DOD's efforts to address it.

Recommendation: To allow DOE management to effectively monitor invoice reviews and have assurance that this control activity is operating as intended, the Secretary of Energy should establish a DOE-wide invoice review policy that includes requirements for sites to establish well-documented invoice review operating procedures.

Agency: Department of Energy
Status: Open

Comments: In its comments on a draft of the report in March 2017, DOE concurred in principle with this recommendation, stating that it already had an established, detailed DOE-wide invoice review policy provided in DOE's Financial Management Handbook and in the DOE Acquisition Guide. In February 2020, DOE issued an update to its Financial Management Handbook that included additional procedures to address intra-governmental payment and collection transactions. However, neither the prior version of the Financial Management Handbook nor the additional information includes invoice review procedures. The Financial Management Handbook refers users to the DOE Acquisition Guide for procedures for invoice review. However, the Acquisition Guide states that it is intended to offer general guiding principles for approving officials to consider when reviewing and analyzing cost elements included in contract invoices--as opposed to detailed procedures for invoice review--and does not require sites to establish well-documented invoice review operating procedures, as we recommended.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including creating a structure with a dedicated entity within DOE to design and oversee fraud risk management activities.

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: In its comments on a draft of the report in March 2017, DOE partially agreed with the recommendation. In its written comments on the report, DOE stated that it considered the recommendation to be closed without corrective action and that it would rely on the existing Office of Financial Policy and Internal Controls and on the DOE Office of Inspector General (OIG) to design and oversee financial fraud risk management activities. However, we disagree that relying in part on the OIG to design and oversee fraud risk management activities meets best practices because, according to GAO's Fraud Risk Framework, the dedicated entity should not include the OIG so that the OIG can maintain its independence. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE expects to establish a new group in fiscal year 2020 that will oversee DOE's fraud risk management activities. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including conducting fraud risk assessments that are tailored to each program and use the assessments to develop a fraud risk profile

Agency: Department of Energy
Status: Open

Comments: In its comments on a draft of the report in March 2017, DOE concurred with the substance of the recommendation; however they considered the recommendation to be closed without corrective action because DOE believed that its risk assessments met the requirements of the Improper Payments Elimination and Recovery Improvement Act of 2012, as reported by the Office of Inspector General (OIG), and because it has implemented updates to OMB Circular A-123 that added requirements related to managing fraud risk and adherence to GAO's Fraud Risk Framework. However, we found that DOE has not conducted fraud risk assessments that were tailored to its programs and, therefore, do not allow the department to create a fraud risk profile. We also found that, although DOE updated its internal control assessment tools with a list of fraud risks as required by OMB Circular A-123, the list of risks were the same for all DOE sites and were not tailored to the sites' different programs. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, the framework is expected to include changes to DOE's process to develop its fraud risk profile, beginning in fiscal year 2020. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including developing and documenting an antifraud strategy that describes the programs' approaches for addressing the prioritized fraud risks identified during the fraud risk assessment.

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE concurred with this recommendation but considered the recommendation closed without corrective action because DOE had implemented the updated OMB Circular A-123 and because DOE's antifraud strategy was embedded in the DOE internal control program. However, DOE officials told us that they had not developed or documented a DOE-wide antifraud strategy or directed individual programs to develop program-specific strategies. Furthermore, DOE's implementation of OMB Circular A-123 included adding a list of potential risks to their internal control assessment tool that were the same for all DOE sites and were not tailored to the sites' different programs. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to develop an antifraud strategy in fiscal year 2021. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including designing and implementing specific control activities, including fraud awareness training and data analytics, to prevent and detect fraud and other improper payments.

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE stated that it concurred in principle with the recommendation, but that it had implemented the recommendation. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to begin in fiscal year 2022 to use data analytics across the agency to prevent fraud. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help ensure that necessary data are available to employ data analytics as a tool to perform contractor cost-surveillance activities, the Secretary of Energy should require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government, including (1) cost data that, at a minimum, represent a full data population and (2) the details necessary to determine the nature of each cost transaction, with such identifiers as transaction date, dollar amount, item or service description, and transaction codes to indicate the type of cost represented (e.g., construction materials, property lease, and office supplies).

Agency: Department of Energy
Status: Open

Comments: In its comments on the draft report in March 2017, DOE did not agree to implement this recommendation because officials believe that the recommendation establishes agency-specific requirements for DOE contractors that are more prescriptive than current federal requirements. In May 2020, DOE officials said they were developing a fraud risk and data analytics framework. Among other steps, DOE is planning to begin in fiscal year 2022 to use data analytics across the agency to prevent fraud. We will continue to monitor DOE's progress in implementing this recommendation.

Recommendation: To help ensure that the government is not exposed to more liability risk than intended, the Secretary of Transportation should ensure that the FAA Administrator prioritizes the development of a plan to address the identified weakness in the cost-of-casualty amount, including setting time frames for action, and update the amount based on current information.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation agreed with the recommendation. In March 2018, the Federal Aviation Administration (FAA) stated that the agency planned to conduct a rulemaking to address any updates to the cost-of-casualty amount. As part of the rulemaking, FAA planned to engage with the commercial space and insurance industries to obtain views on an appropriate cost-of-casualty amount and implications of any changes. However, in February 2019, FAA stated that it has been unable to conduct the planned rulemaking due to a competing priority that will continue through 2020. FAA has requested input from the industry on prioritizing needed rule revisions and will develop a plan for updating the cost-of-casualty amount based on the industry's prioritization recommendations. We will continue to monitor FAA's actions in response to this recommendation.

Recommendation: To improve management and oversight of the SAVE program, the director of USCIS should develop and implement a mechanism to oversee agencies' completion of training on additional verification in accordance with SAVE MOA provisions and program policies.

Agency: Department of Homeland Security: United States Citizenship and Immigration Services
Status: Open

Comments: In March 2017, we found that USCIS does not track or monitor whether SAVE users have completed training and therefore does not have reasonable assurance that users have mastered SAVE policies and procedures prior to accessing the system. We recommended that USCIS develop and implement a mechanism to oversee agencies' completion of training on additional verification in accordance with SAVE provisions and program policies. The USCIS Verification Division reported that it planned to address providing additional training for SAVE users developed by December 31, 2017. The SAVE Program would then offer training events for agencies on the new material reflecting the agency user requirements for additional verification as well as system enhancements. In September 2017, the Verification Division implemented part one of this recommendation, a monthly webinar training session on user agency responsibilities and additional verification. This training can also be delivered to user agencies upon request. For part two of this recommendation, the SAVE program also developed training features to oversee agencies' completion of training. These training features are a system enhancement that will be incorporated into SAVE's overall modernization effort and was expected to be completed by September 30, 2019. In the interim, SAVE is implementing several other enhancements that will reduce the number of cases sent to additional verification, including the completion of modernized matching logic and initial verification screens and retiring less efficient access methods. In September 2019, SAVE officials told us that SAVE has reduced the number of cases sent to additional verification by retiring inefficient access methods and completing modernization of SAVE matching logic and initial verification screens. However, SAVE officials said they also determined that they must update the SAVE tutorial platform and content to account for these and other changes. Officials said that while SAVE is updated, the program continues to provide training, resources, and other support to user agencies to help ensure they are performing additional verification in accordance with SAVE MOA provisions and program policies. The new estimated completion date is February 28, 2021.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should ensure that CNCS completes its efforts to benchmark its assessment criteria and scoring process to further develop a risk-based approach to grant monitoring and that information from this effort is used to (a) score the indicators so that the riskiest grants get the highest scores; (b) revise the assessment indicators to meaningfully cover all identifiable risks, including fraud and improper payments; and (c) document decisions on how indicators are selected and weighted.

Agency: Corporation for National and Community Service
Status: Open

Comments: CNCS has been working since September 2018 to review and update its risk assessment process. The CNCS Office of Research and Evaluation has developed a methodology to determine the appropriate score and weight for the assessment indicators. It plans to fully implement the new risk assessment process in fiscal year 2020. To close this recommendation, CNCS will need to show documentation for how it selected and weighted revised indicators to cover identifiable risks, and how the revised scoring system identifies the riskiest grants.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should review monitoring protocols, including the level of information collected for oversight of subrecipients' activities such as criminal history checks, and enhance protocols, as appropriate.

Agency: Corporation for National and Community Service
Status: Open

Comments: As of July 2019, CNCS stated that revisions to the agency-wide risk assessment instrument include indicators to address prime grantee monitoring and oversight of subrecipients. CNCS established a new Office of Monitoring in 2019, which will be responsible for reviewing and improving monitoring protocols, including those related to subrecipient activities. Enhanced monitoring protocols will be implemented as part of its fiscal year 2020 monitoring plan. To help close this recommendation, CNCS will need to show how it has expanded information it collects pertaining to subrecipients, and how its monitoring efforts reflect this.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should establish activities to systematically evaluate grant monitoring results.

Agency: Corporation for National and Community Service
Status: Open

Comments: In July 2019, CNCS reported that the new Office of Monitoring supports the agency's May 2018 Transformation and Sustainability Plan goals related to monitoring and evaluating results. This office is developing a monitoring strategy to align with the agency's IT system improvements, and will allow for reporting and data to support a systematic evaluation of grant monitoring results. To help close this recommendation, CNCS will need to show how the agency has used outcomes and findings from its grant monitoring activities to help guide improvements to these activities.

Recommendation: To improve CNCS's efforts to move toward a risk-based process for monitoring grants and to improve its capacity for monitoring grantee compliance, the Chief Executive Officer of the Corporation for National and Community Service should, as part of CNCS's efforts to develop an employee development program, update critical competencies for grant monitoring, and establish a training planning process linked with agency goals and these competencies.

Agency: Corporation for National and Community Service
Status: Open

Comments: As of July 2019, CNCS is in the process of realigning its grant management and monitoring functions. The agency plans to document critical competencies for grant management and monitoring roles and establish a training program to strengthen its grant monitoring performance. By December 2019, CNCS plans to implement a comprehensive orientation curriculum and a more effective onboarding procedure, updated staff support training materials, among other changes to its training efforts. To close this recommendation, CNCS will need to determine which competencies are critical for grant monitoring, and show how the competencies are linked with the agency's training planning processes and agency goals.

Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to establish a mechanism for BSEE management to obtain and incorporate input from bureau personnel and any external parties, such as Argonne, that can affect the bureau's ability to achieve its objectives.

Agency: Department of the Interior
Status: Open
Priority recommendation

Comments: In its June 9, 2017, response to our report, Interior indicated that BSEE is developing new strategies to improve trust and foster greater collaboration for consideration by the new Director. In September 2018, Interior provided documentation of several BSEE actions, including establishing an Employee Engagement Council, an Innovation Program, and Ombudsman position within the bureau. As of August 2020, BSEE indicated that these efforts remain ongoing. However, this recommendation remains open because BSEE has not yet demonstrated that these actions represent an enduring institutionalization of improved communication throughout the bureau.

Recommendation: The Secretary of the Interior should direct the Assistant Secretary for Land and Minerals Management, who oversees BSEE, to address leadership commitment deficiencies within BSEE, including by implementing internal management initiatives and ongoing strategic initiatives (e.g., Enterprise Risk Management and performance measure initiatives) in a timely manner.

Agency: Department of the Interior
Status: Open

Comments: In its June 2017 response to our report, Interior indicated that BSEE will incorporate lessons learned from its first enterprise risk management cycle in future cycles and that BSEE will incorporate a performance management dashboard in fiscal year 2018. In August 2019, BSEE provided documentation regarding actions it has taken to implement and institutionalize its enterprise risk management and performance measure initiatives. In August 2020, BSEE indicated that implementation of these processes remains ongoing. However, this recommendation remains open because BSEE has not yet demonstrated that these actions represent an enduring institutionalization of improved internal management initiatives and ongoing strategic initiatives throughout the bureau.

Recommendation: The Secretary of the Interior should direct the BSEE Director to address trust concerns that exist between headquarters and the field, BSEE should expand the scope of its employee engagement strategy to incorporate the need to communicate quality information throughout the bureau.

Agency: Department of the Interior
Status: Open

Comments: In its June 2017 response to our report, Interior indicated that BSEE's response to this recommendation would be incorporated into its corrective actions for recommendation one. In September 2018, Interior provided documentation of several BSEE actions, including establishing an Employee Engagement Council, an Innovation Program, and Ombudsman position within the bureau. As of August 2020, BSEE indicated that these efforts remain ongoing. However, this recommendation remains open because BSEE has not yet demonstrated that these actions represent an enduring institutionalization of expanded employee engagement throughout the bureau.

Recommendation: To help ensure the Navy thoroughly considers the relative benefits of using FPI contracts for shipbuilding versus other contract types, the Secretary of Defense should direct the Secretary of the Navy to conduct a portfolio-wide assessment of the Navy's use of additional incentives on FPI contracts across its shipbuilding programs. This assessment should include a mechanism to share proven incentive strategies for achieving intended cost, schedule, and quality outcomes among contracting and program office officials.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: In providing comments on this report, the agency concurred with this recommendation. As of July 2020, the Navy had commissioned a study of its use of additional incentives on fixed-price incentive contracts across its shipbuilding programs. The Navy plans to socialize this report with the shipbuilding program executive offices so that they can share lessons learned across the shipbuilding enterprise. The estimated completion date for this effort is the fourth quarter of fiscal year 2020. Following completion of that effort, in the first quarter of fiscal year 2021, the Navy plans to provide recommendations regarding the use of additional incentives on fixed-price incentive contracts across its shipbuilding programs.

Recommendation: To improve efforts to promote EHR use and electronic exchange of health information in post-acute care settings, the Secretary of Health and Human Services should direct CMS and ONC to comprehensively plan for how to achieve the department's goal related to the use of EHRs and electronic information exchange in post-acute care settings. This planning may include, for example, identifying specific actions related to post-acute care settings and identifying and considering external factors.

Agency: Department of Health and Human Services
Status: Open

Comments: HHS concurred with this recommendation. As of February 2020, HHS provided information describing actions it has taken to help increase the use of EHRs and electronic information exchange in post-acute care settings. These actions are important, but do not address the comprehensive planning that GAO recommended. To fully implement this recommendation, HHS should provide information to show comprehensive planning for how HHS's specific actions are expected to lead to achieving the goal of increasing the use of EHRs and electronic information exchange in post-acute settings.

Recommendation: To assist IRA owners in addressing challenges associated with investing their retirement savings in unconventional assets, the Commissioner of Internal Revenue should provide guidance to IRA owners and custodians on how to determine and document fair market value (FMV) for certain categories of hard-to-value unconventional assets. For example, IRS could consider updating Form 5498 instructions to custodians on how to document FMV for hard-to-value assets (e.g., last-known FMV based on independent appraisal, acquisition price) and provide guidance directed at account owners that provides examples of how to ascertain FMV for different types of unconventional assets.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed that guidance should be provided to IRA owners and custodians. In 2018, IRS stated that it had discussed this issue with Counsel and Treasury, and it was agreed that fair market value would be a part of the IRA guidance project under the 2017 Priority Guidance Plan. IRS officials said that these new regulations would address FMV for certain categories of hard-to-value unconventional assets. IRS further noted that it would be premature to modify instructions and guidance to custodians on how to determine and document FMV for hard-to- value assets until the new regulations are issued. In their October 2019 update of planned guidance projects, Treasury's Office of Tax Policy and IRS still listed planned IRA regulations. GAO will not close this recommendation as implemented until the new valuation guidance is issued.

Recommendation: To achieve a better understanding of the effect of certain Personal care services (PCS) services on beneficiaries and a more consistent administration of policies and procedures across PCS programs, the Acting Administrator of CMS should collect and analyze states' required information on the impact of the Participant-Directed Option and Community First Choice programs on the health and welfare of beneficiaries as well as the state quality measures for the Participant-Directed Option and Community First Choice programs.

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: The Centers for Medicare & Medicaid Services (CMS) concurred with GAO's recommendation. On December 30, 2016, the agency issued guidance on the Community First Choice program to assist states in submitting information to CMS on the health and welfare of beneficiaries. In March 2019, CMS officials stated that the agency is currently developing the process for states to report this information to CMS. Agency officials also stated they are exploring the value of collecting this information for the Participant-Directed Option program given the limited number of states currently operating under this authority. In February 2020, CMS officials stated that the agency continues to develop policy related to this recommendation.

Recommendation: To continue the agency's efforts to improve state and local emergency preparedness for rail accidents involving hazardous materials, the Secretary of Transportation should, after the rulemaking is finalized, develop a process for regularly collecting information from state emergency response commissions on the distribution of the railroad-provided hazardous-materials-shipping information to local planning entities.

Agency: Department of Transportation
Status: Open

Comments: DOT published the Oil Spill Response Plans and Information Sharing for High-Hazard Flammable Trains final rule in February 2019. As of September 2020, PHMSA indicated that it wanted to close out the recommendation by adding 2 questions to the Hazardous Materials Emergency Preparedness grant application asking SERCs whether they receive information on High-Hazard Flammable Train operations and whether they are disseminating this information to local planning entities. OMB is currently reviewing the additional information request. We will continue to monitor DOT's efforts to address the recommendation.

Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by expanding consideration of the trade-offs associated with different degrees of severity.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had initiated two projects that would allow a more efficient evaluation of multiple scenarios, including assessing trade-offs associated with different levels of scenario severity. In December 2019, Federal Reserve staff provided updates on these projects, which remain in progress. We will continue to monitor the Federal Reserve's completion and implementation of these projects and any additional actions it takes that may be responsive to our recommendation.

Recommendation: To improve understanding of the range of potential crises against which the banking system would be resilient and the outcomes that might result from different scenarios, the Federal Reserve should assess whether a single severe supervisory scenario is sufficient to inform CCAR decisions and promote the resilience of the banking system. Such an assessment could include conducting sensitivity analysis involving multiple severe supervisory scenarios--potentially using CCAR data for a cycle that is already complete, to avoid concerns about tailoring the scenario to achieve a particular outcome.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had initiated two projects that would allow a more efficient evaluation of multiple scenarios. In December 2019, Federal Reserve staff provided updates on these projects, which remain in progress. We will continue to monitor the Federal Reserve's completion and implementation of these projects and any additional actions it takes that may be responsive to our recommendation.

Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to test and document the sensitivity and uncertainty of the model system's output--the post-stress capital ratios used to make CCAR quantitative assessment determinations--including, at a minimum, the cumulative uncertainty surrounding the capital ratios and their sensitivity to key model parameters, specifications, and assumptions from across the system of models.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had previously initiated multiple projects to fully respond to our recommendation, several of which were now complete. In December 2019, Federal Reserve staff provided updates on the remaining projects, which remain in various stages of completion. We will continue to monitor the Federal Reserve's completion and implementation of these projects and, once we receive documentation demonstrating the completion of responsive actions, we will update the status of this recommendation.

Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to communicate information about the range and sources of uncertainty surrounding the post-stress capital ratio estimates to the Board during CCAR deliberations.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had previously initiated a project to fully respond to our recommendation. In December 2019, Federal Reserve staff provided updates on the project, but as of February 2020, had not provided documentation fully supporting implementation of a process consistent with our recommendation. We will continue to monitor the Federal Reserve's completion and implementation of this project, and we will update the status of this recommendation once we receive documentation demonstrating the completion of responsive actions.

Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process for the Board and senior staff to articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.

Agency: Federal Reserve System
Status: Open
Priority recommendation

Comments: In January 2019, the Federal Reserve said it had previously initiated a project to fully respond to our recommendation. In December 2019, Federal Reserve staff provided updates on the project, but as of February 2020, had not provided documentation fully supporting implementation of a process consistent with our recommendation. We will continue to monitor the Federal Reserve's completion and implementation of this project, and we will update the status of this recommendation once we receive documentation demonstrating the completion of responsive actions.

Recommendation: To determine whether CSA interventions influence motor carrier safety performance, the Secretary of Transportation should direct the FMCSA Administrator to identify and implement, as appropriate, methods to evaluate the effectiveness of individual intervention types or common intervention patterns to obtain more complete, appropriate, and accurate information on the effectiveness of interventions in improving motor carrier safety performance. In identifying and implementing appropriate methods, FMCSA should incorporate accepted practices for designing program effectiveness evaluations, including practices that would enable FMCSA to more confidently attribute changes in carriers' safety behavior to CSA interventions.

Agency: Department of Transportation
Status: Open

Comments: FMCSA has reviewed the methodology for its effectiveness model and identified many of the same limitations GAO discussed in its report. FMCSA also identified several approaches to address these limitations, including modifying its model to measure individual intervention types. However, as of July 2020, FMCSA had not implemented any of its proposed approaches.

Recommendation: To enable FMCSA management to monitor the agency's progress in achieving its effectiveness and efficiency outcomes for CSA interventions and balance priorities, the Secretary of Transportation should direct the FMCSA Administrator to establish and use performance measures to regularly monitor progress toward both FMCSA's effectiveness outcome and its efficiency outcome.

Agency: Department of Transportation
Status: Open

Comments: The Federal Motor Carrier Safety Administration (FMCSA) plans to establish an inventory of effectiveness and efficiency measures and monitor performance on an ongoing basis. FMCSA is working to modify its model to measure the effectiveness of individual intervention types. However, as of July 2020, it had not implemented any of its proposed modifications.

Recommendation: To strengthen efforts to mitigate earthquake risks to federal buildings, the Secretary of Defense and the Administrator of GSA should (1) Define what constitutes an exceptionally high risk building, identify such buildings, and develop plans to mitigate those risks, including prioritizing associated funding requests as needed; and (2) To the extent practicable, prioritize and implement comprehensive seismic safety measures which could include earthquake drills, seismic safety inspections, and non-structural retrofits to decrease risks and reduce damage in federally-owned and -leased buildings in earthquake hazard areas.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In June 2019, DOD reported that the U.S. Army Corps of Engineers had developed a sophisticated risk assessment tool which could potentially be used to both define and assess exceptionally high risk buildings in a cost-effective manner. DOD said that it was in the process of determining the suitability of the tool for use by its components, and potentially other federal government partners. According to DOD, further action to address this recommendation will depend on both a favorable determination of the tool's suitability and the availability of funding to conduct assessments and complete the mitigation actions identified by the assessments. We will continue to monitor DOD's efforts to address this recommendation.

Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with the recommendation but has not yet provided sufficient evidence that it had implemented the recommendation. In particular, as of August 2020, the HHS Office for Civil Rights (OCR) has not yet reviewed the feasibility of performance measures as part of its audit program, and plans to do so only after implementing a future redesign of its audit program. We will continue to monitor HHS actions in response to this recommendation.

Recommendation: To ensure that DOE's control activities continue to be relevant and effective for managing supply chain risk, the Secretary should direct the Under Secretary for Nuclear Security, as the Administrator of the NNSA, to work with the Office of Intelligence and Counterintelligence and other DOE organizations, as appropriate, to assess the circumstances that might warrant using the enhanced procurement authority, and (1) if this assessment identifies circumstances that might warrant using the authority, the Secretary should direct the Under Secretary for Nuclear Security to work with other DOE organizations, as appropriate, to establish processes for using it and examine whether adequate resources are in place to support those processes, and (2) communicate the results of this assessment to the relevant congressional committees for their use in determining whether to extend the authority past its current termination date.

Agency: Department of Energy
Status: Open

Comments: In an October 7, 2016, letter the Under Secretary for Nuclear Security and Administrator of the National Nuclear Security Administration (NNSA) said he agreed with GAO's recommendation to assess situations that might warrant the use of the enhanced procurement authority and, should specific circumstances be identified for use of the authority, NNSA would develop a process for its use. The assessment would include an examination of resources to support use of the authority. NNSA would work with other Department of Energy organizations as appropriate in conducting the assessment. NNSA officials said they submitted the assessment to the congressional committees in March 2020. We requested a copy of the assessment and will update the status of this recommendation after we receive and review it.

Recommendation: To enhance FAA's risk-based approach for oversight of repair stations, the Secretary of Transportation should direct the Administrator of the Federal Aviation Administration to develop and implement a process in Flight Standards for incorporating into SAS the volume of critical maintenance that each U.S. airline contracts to repair stations.

Agency: Department of Transportation
Status: Open

Comments: FAA did not concur with this recommendation. In July 2019, GAO confirmed that FAA does not plan to implement the recommendation because the agency continues to believe the subjective nature of volume of work makes it an ineffective risk indicator. However, the agency monitors many factors as primary risk indicators at repair stations. Many of these risk indicators are associated with important aspects of work volume such as high workforce turnover; changes in management; rapid growth or downsizing; changes in aircraft complexity/programs; financial conditions; age of fleet and increases in aircraft discrepancies. FAA considers these factors and the criticality of a specific maintenance action on an aircraft to be the most important risk indicators.

Recommendation: To enhance FAA's risk-based approach for oversight of repair stations, the Secretary of Transportation should direct the Administrator of the Federal Aviation Administration to develop and implement an evaluative process with measurable performance goals and measures to determine the effectiveness of SAS as the SMS safety assurance component.

Agency: Department of Transportation
Status: Open

Comments: In July 2019, GAO confirmed that FAA plans to develop overall program goals and metrics as part of the next implementation phase of its new Safety Assurance System. These metrics are expected to be fully developed based on the final design of the new system and the program requirements identified. Final system testing and deployment into production for the Safety Assurance System is expected to be completed by February 2021, with final implementation scheduled to be completed by May 2022. Additionally, prior to deploying the system, FAA plans to provide training courses to the aviation safety workforce who will be using the new system, and plans to issue new policy documentation in June 2020 that will be used to provide additional guidance to that workforce on properly using the system.

Recommendation: To improve risk management in the collection of AD/CV duties and to identify new or changing risks, CBP should regularly conduct a comprehensive risk analysis that assesses both the likelihood and the significance of risk factors related to AD/CV duty collection. For example, CBP could construct statistical models that explore the associations between potential risk factors and both the probability of nonpayment and the size of nonpayment when it occurs.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Priority recommendation

Comments: As of December 2019, CBP was taking steps to conduct the type of risk analysis GAO recommended in July 2016. In November 2019 we reported that according to CBP , the agency had developed and successfully tested two models using risk factors including, but not limited to, the type of good, country of origin of the good, and whether the importer is from a foreign country. One test demonstrated that, using data from fiscal years 2007-2015, CBP could have predicted over 95 percent of the importers with delinquent antidumping and countervailing (AD/CV) duty bills in fiscal years 2016 and 2017. CBP requested $17 million in fiscal year 2020 funds to make updates to its information systems necessary to facilitate the implementation of statistical models. CBP is also working on long-term enhancements to the models that it says will leverage additional modeling techniques, such as social network and spatial analysis. Regularly conducting a comprehensive risk analysis of factors related to AD/CV duty non-collection could enhance CBP's capacity to collect additional revenue by enabling CBP to increase bonding amounts for continuous entry and single-transaction bonds for importers with a greater risk of nonpayment. In a December 2019 Commercial Customs Operations Advisory Committee report, CBP said that it planned to begin rolling out a risk-based bonding framework in March 2020. The new framework relies on a bond formula that is in part based on risk factors identified by the statistical models .

Recommendation: To improve risk management in the collection of AD/CV duties, CBP should, consistent with U.S. law and international obligations, take steps to use its data and risk assessment strategically to mitigate AD/CV duty nonpayment, such as by using predictive risk analysis to identify entries that pose heightened risk and taking appropriate action to mitigate the risk.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Priority recommendation

Comments: As of December 2019, CBP was taking steps to develop a risk-based AD/CV bonding framework to use in conjunction with the development of an AD/CV risk assessment model. CBP is developing a supplemental AD/CV duty continuous entry bond that incorporates nonpayment risk factors identified in its statistical models and has worked with Commercial Customs Operations Advisory Committee (COAC) to test the proposed risk based bonding formula by applying it to historical data. CBP has estimated that the collection rate under the risk-based bonding framework using the proposed formula would have been significantly higher than the collection rate under its existing bond policies during fiscal years 2007-2017, both in number and value of the bills collected; however, COAC members said the proposed bond formula would have resulted in overinsurance, which could increase cost to importers. The use of supplemental continuous entry bonds may require regulatory changes and modifications to CBP's database. CBP has also conducted an analysis of the use of single-transaction bonds using historical data, and found that this procedure would have allowed CBP to collect significantly more revenue in fiscal years 2007-2018. CBP is working with COAC members to test a risk-based application of single-transaction bonds to historical AD/CV duty entries to assess whether the bond would have reduced the amount of uncollected duties. In a December 2019 Commercial Customs Operations Advisory Committee report, CBP said that it plans to rolls out its risk-based bonding framework in March 2020.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. HHS submitted a draft version of this methodology in June 2018. Upon reviewing this documentation, however, we did not see evidence that the department was factoring active risks into its CIO ratings. In May 2019, HHS officials stated that they planned to update their CIO rating methodology to focus on active risk; however, department documentation from August 2020 stated that the new CIO rating methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that the department was amending its CIO rating review process to ensure that active risks are factored into its IT Dashboard CIO ratings. In August 2020, VA submitted documentation for this new process; however, this documentation did not state how the department incorporates active risks into its investments' CIO ratings. We will continue to monitor the implementation of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Education, Energy, Health and Human Services, the Interior, State, and Veterans Affairs; and the Director of the Office of Personnel Management should direct their CIOs to factor active risks into their IT Dashboard CIO ratings.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation, and, in an October 2017 response, stated that it currently evaluates risk as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) agreed with the recommendation and, in a written response, stated that it updated its CIO evaluation methodology to measure active risks in areas such as budget variance, performance, policy and governance compliance, risk management, and contract risk. According to HHS, these risk areas reflect both internal and external risks that affect an investment's ability to accomplish its goals. HHS submitted a draft version of this methodology in June 2018. While this documentation showed that HHS factored investment qualities related to overall project riskiness, it did not specify that active investment risks were also being factored as part of the evaluation. Without an additional focus on active risk, this methodology is unlikely to ensure that HHS's CIO ratings reflect the level of risk facing an investment. In May 2019, HHS officials stated that they planned to update their CIO rating methodology; however, per HHS documentation dated August 2020, this new methodology is still in draft form and is not finalized. We will continue to monitor HHS's efforts in implementing this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) agreed with the recommendation and, in a written response, stated that it will ensure that CIO ratings reflect the level of risk facing its investments. In August 2020, VA submitted documentation for an updated CIO ratings process; however, this process documentation did not state how the department incorporates active risks into its investments' CIO ratings. Without a consideration of active risks, VA's CIO rating process may not produce ratings that reflect the level of risk facing VA's investments. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that the Dashboard ratings more accurately reflect risk, the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, State, Transportation, the Treasury, Veterans Affairs; the Administrator of the Environmental Protection Agency; and the Commissioner of the Social Security Administration should direct their CIOs to ensure that their CIO ratings reflect the level of risk facing an investment relative to that investment's ability to accomplish its goals.

Agency: Department of State
Status: Open

Comments: The Department of State (State) agreed with the recommendation and has provided information on how investment risk is evaluated as part of its IT governance activities. In March 2019, State informed us that its Bureau of Information Resource Management was developing a new policy and associated guidance for calculating its CIO risk ratings; however, as of September 2020, we have not received this new documentation. We will continue to monitor the status of this recommendation.

Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, in addition to considering risk when determining how to divide FAMS's international flight coverage resources among international destinations, the Director of FAMS should incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover.

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: In May 2016, we found that FAMS officials considered risk when selecting specific domestic and international flights to cover, but they did not consider risk when deciding how to initially divide their annual resources between domestic and international flights. Rather, each year FAMS considered two variables--travel budget and number of air marshals--to identify the most efficient way to divide the agency's resources between domestic and international flights. As a result, we recommended that FAMS incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover. In March 2018, FAMS revised its deployment methodology to no longer set an annual target number of average daily international and domestic flights to cover. Rather, FAMS now prioritizes deploying air marshals on as many flights as possible with passengers who have been identified as potentially higher risk because they match TSA's intelligence-based screening rules, among other risk-based priorities. In August 2020, FAMS officials explained that they were evaluating their concept of operations and planned to more fully develop a risk basis for dividing its resources between international and domestic flights. By doing so, FAMS could better ensure it is targeting its limited resources to the highest risk flights and better aligning with FAMS's stated goal of using risk-based decisions to guide mission operations. As a result, this recommendation remains open.

Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially agreed with this recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop requirements, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to complete its efforts to ensure that it provides and tracks training for individuals with significant security responsibilities. As of March 2020, OPM has not provided evidence that it has completed these actions.

Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation. The agency has conducted security control assessments for the two systems, but these assessments did not show that technical controls were comprehensively tested. According to VA, the agency will complete the next security control assessment in October 2019 and complete the system assessment report in December 2019. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to VA informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to OMB informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, conduct uncertainty and sensitivity analyses consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. According to DOD officials, as of July 2018, this recommendation conflicts with established Office of the Under Secretary of Defense/Cost Estimation and Program Evaluation guidance for cost estimation and uncertainty analysis. Absent a change in policy at that level, the Joint Program Office will continue to follow Office of the Under Secretary of Defense/Cost Estimation and Program Evaluation policy on this issue. We continue to believe that in order for any risks associated with ALIS to be addressed expediently and holistically, uncertainty and sensitivity analysis must be used on the F-35s cost estimates to improve its overall reliability. Thus, this recommendation will remain open.

Recommendation: To ensure that risks associated with ALIS are addressed expediently and holistically, the Secretary of Defense should direct the F-35 Program Executive Officer to improve the reliability of its cost estimates, ensure that future estimates of ALIS costs use historical data as available and reflect significant program changes consistent with cost-estimating best practices identified in GAO's Cost Estimating and Assessment Guide.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. According to DOD officials, since April 2016, the F-35 program has continued to update the ALIS estimate with the latest available cost data, based on recent contracts. Until more reliable actual costs become available, the program utilizes negotiated contract costs, incorporates program initiatives, and ensures the estimate reflects the latest technical baseline and requirements. Until actual costs associated with ALIS historical data are incorporated in the F-35 cost estimate, we believe that the estimate will not be as reliable as it could be. For this reason, this recommendation will remain open.

Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to enhance screening of loan guarantee applicants, the Secretary of Agriculture should direct the Undersecretary for Rural Development to complete steps to obtain access to Treasury's Do Not Pay portal and establish policies and procedures to deny loan guarantees to applicants who are subject to administrative offsets for delinquent child support payments.

Agency: Department of Agriculture
Status: Open

Comments: In August 2020, Rural Development said that implementing the recommendation would require a rule change and that it anticipated publishing a proposed rule by December 31, 2020.

Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen oversight of lenders and servicers, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop and publish in the Federal Register qualification requirements for the principal officers of lenders and servicers seeking initial or continued approval to participate in the guarantee program.

Agency: Department of Agriculture
Status: Open

Comments: In August 2020, Rural Development said it anticipated publishing a proposed rule to implement this recommendation by December 31, 2020.

Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen oversight of lenders and servicers, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop and publish in the Federal Register capital and financial requirements for guarantee program lenders that are not regulated by a federal financial institution regulatory agency.

Agency: Department of Agriculture
Status: Open

Comments: In August 2020, Rural Development said it anticipated publishing a proposed rule to implement this recommendation by December 31, 2020.

Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen risk assessment and reporting, the Secretary of Agriculture should direct the Undersecretary for Rural Development to improve performance measures comparing RHS and the Federal Housing Administration loan performance, potentially by making comparisons on a cohort basis and limiting comparisons to loans made in similar geographic areas.

Agency: Department of Agriculture
Status: Open

Comments: In August 2020, Rural Development said it was working with a contractor to establish more meaningful performance measures and estimated a completion date of December 31, 2020.

Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to strengthen risk assessment and reporting, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop risk thresholds for the guarantee program, potentially in the form of maximum portfolio- or loan-level loss tolerances.

Agency: Department of Agriculture
Status: Open

Comments: Rural Development hired a contractor to help establish risk thresholds for the guarantee program. The contractor's October 2016 report developed and recommended portfolio-level and loan-level risk thresholds (values that trigger consideration of policy adjustments) and also recommended that program officials conduct stress tests to validate that each recommended risk threshold was appropriate for the program's overall risk appetite. As of August 2020, Rural Development said it was continuing to work with the contractor to stress test the risk thresholds and estimated a completion date of December 31, 2020.

Recommendation: To improve compliance with OMB Circular A-129 standards and strengthen management and oversight of the guarantee program, and to more effectively fulfill the requirements for conducting program reviews described in OMB Circular A-129, the Secretary of Agriculture should direct the Undersecretary for Rural Development to develop procedures for selecting RD credit programs for review based on risk and establish a prioritized schedule for conducting the reviews.

Agency: Department of Agriculture
Status: Open

Comments: In August 2020, Rural Development said that its Chief Risk Officer was working with the agency on establishing procedures for selecting Rural Development credit programs for review based on risk, including a prioritized schedule. Rural Development estimated a completion date of June 30, 2021.

Recommendation: To help improve the management of MAIS programs, the Secretary of the Navy should direct the Common Aviation Command and Control System program manager to identify weaknesses in the requirements traceability process and take corrective actions to manage the traceability of requirements to the respective lower-level requirements, and periodically evaluate work products, including the requirements management plan, and update them in accordance with the requirements guidance.

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: DOD concurred with this recommendation and stated in March 2016 that the Navy had corrected the data query issue that caused 11 requirements to be eliminated from the traceability matrix we reviewed. DOD also stated that the Navy had identified the weakness in the traceability process that led to 14 general requirements not being fully traced. However, as of June 2020, DOD had not provided us with documentation that supports that it identified the weakness in the requirements traceability process. It also had not demonstrated that the program office has updated its requirements management guidance to address the weakness it identified.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Administrator of the Food Safety and Inspection Service to develop agency policies that contain these requirements.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, the United States Department of Agriculture (USDA) stated that its Joint Committee on Biorisk Management Policy (JCBMP) would oversee the revisions of existing policies to include department-wide incident reporting requirements and time frames. As of July 2020, USDA estimated that these revisions should be completed by October 2020. Officials stated that updates to component agency policies would be completed shortly after issuance of the departmental policy. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should review and update outdated department policies for managing hazardous biological agents in high-containment laboratories and direct the Administrators of the Animal and Plant Health Inspection Service (APHIS) and Agricultural Research Service to update their policies and, in the case of APHIS, establish a regular review schedule.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee the revisions of existing outdated departmental policies. In addition, officials stated that APHIS reviews and updates agency policies every 3-5 years, and that this schedule will be reflected in the updated departmental policy. In October 2019, the Agricultural Research Service (ARS) updated its agency policy for its institutional biological safety committee, the entity responsible for ensuring biosafety in its laboratories. As of July 2020, USDA estimated that revisions to the departmental, APHIS, and Food Safety and Inspection Service (FSIS) policies should be completed by December 2020. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should routinely analyze results of the department's laboratory inspections and incident reports to identify potential trends that may highlight recurring laboratory safety or security issues and share lessons learned with laboratory personnel.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee efforts to collect and analyze laboratory inspection results and incident reports and share these reports and critical analyses with USDA senior leadership on an annual basis. As of July 2020, USDA estimated that revisions to its departmental policy-which would reflect the JCBMP's role in analyzing inspection results and incident reports, identifying potential trends, and sharing lessons learned-should be completed by October 2020. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of the results of department, agency, and select agent laboratory inspections to senior department officials.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee the revisions of existing policies to include requirements for routine reporting of inspection results to senior USDA officials. In July 2020, USDA estimated that these revisions should be completed by October 2020. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Agriculture should require routine reporting of incidents at agency laboratories to senior department officials.

Agency: Department of Agriculture
Status: Open

Comments: In October 2016, USDA stated that the JCBMP would oversee the revisions of existing policies to include requirements for routine reporting of laboratory incidents to senior USDA officials. In July 2020, USDA estimated that these revisions should be completed by October 2020. Officials stated that updates to component agency policies would be completed shortly after issuance of the departmental policy. We will update the status of this recommendation when we receive additional information.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should revise existing department policies for managing hazardous biological agents in high-containment laboratories to contain specific requirements for inventory control for all of DOD's high-containment laboratories, not just for its select agent-registered laboratories, or direct the Secretaries of the Air Force, Army, and Navy to revise their existing, respective policies to contain these requirements.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In June 2018, DOD stated that it had completed evaluation of existing DOD and service level guidance related to inventory control. DOD also stated that it will continue to analyze the adequacy of existing policy and the need to expand that policy across the DOD Lab Enterprise as the draft Department of Defense Manual (DoDM) 6055.18 is finalized for publication. As of August 2019, DoD said the draft DoDM 6055.18 was still in review and the agency estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Air Force and Army to review and update their respective outdated policies for managing hazardous biological agents in high-containment laboratories.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. DOD stated that it had updated the Air Force policy (AF Instruction 10-2611-0) as of January 19, 2017; this document updates the biological safety standards used in AF labs and implements the draft update to Department of Defense Manual 6055.18M: Safety Standards for Microbiological and Biomedical Laboratories. As of July 2019, DOD provided GAO with the updated Army policy AR 190-17; however DOD officials stated that as the draft Department of Defense Manual (DoDM) 6055.18 was still undergoing review, this recommendation should remain open. DOD estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of the results of Air Force, Army, and Navy inspections of non-select agent registered laboratories to senior department officials.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In August 2019, DOD reported that the Air Force is planning to close its BSAT program by the summer of 2019 and planning was underway to move the Air Force BSAT inventory to another DOD BSAT facility. Additionally, the Army was revising its AR 385-10, which contains biosafety criteria unique to the Army, and estimated the revision would be completed by December 2019. Finally, the draft Department of Defense Manual (DoDM) 6055.18 was still undergoing review, and DOD estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should require routine reporting of laboratory incidents at Air Force, Army, and Navy non-select agent registered laboratories to senior department officials.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In August 2019, DOD reported that the Air Force is planning to close its BSAT program by the summer of 2019 and planning was underway to move the Air Force BSAT inventory to another DOD BSAT facility. Additionally, the Army was revising its AR 385-10, which contains biosafety criteria unique to the Army, to include a new mishap classification for biosafety mishaps to effect better reporting and analysis of these mishaps, and estimated the revision would be completed by December 2019. Finally, the draft Department of Defense Manual (DoDM) 6055.18 was still undergoing review, and DOD estimated it would complete work to respond to this recommendation in February 2020.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Defense should direct the Secretaries of the Army and Navy to require reporting of agency and select agent laboratory inspection results to senior agency officials.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. As of June 2018, DOD stated that the draft directive DODD 5101.XXE, which is expected to be published in October 2018, formally designates the Executive Agent Responsible Official for Biosafety and Biosecurity and will establish roles and responsibilities including a role for reporting inspection results. Further, DOD stated that all inspection results of a joint inspection team are provided to the Executive Agent Responsible Official, and that the joint inspection team was established in September 2016. As of September 2019, DOD officials had provided updated documentation regarding this recommendation, and GAO was reviewing these updates.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for reporting laboratory incidents to senior department officials, including the types of incidents that should be reported, to whom, and when, or direct the Director of CDC and the Commissioner of FDA to incorporate these requirements into their respective policies.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that both CDC and FDA were working to incorporate incident reporting requirements and time frames into formal agency policies and practices but did not provide an anticipated completion date. In summer 2017, CDC and FDA reported that they were continuing to incorporate incident reporting, which includes all laboratory incidents, accidents, injuries, infections, and near-misses, into formal agency policies. In August 2019, FDA reported that it continues to work with the Biosafety and Biosecurity Coordinating Council to establish a process for the routine reporting of these results but had not yet completed its actions. As of September 2019 we had not received an update from HHS on the status of CDC's implementation of this recommendation.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should develop department policies for managing hazardous biological agents in high-containment laboratories that contain specific requirements for training and inspections for all high-containment component agency laboratories and not just for their select-agent-registered laboratories; or direct the Director of CDC to provide these requirements in agency policies.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that CDC plans to revise its policies to include training and inspection requirements for inspections for all high-containment laboratories but did not provide an anticipated completion date. In June 2017, HHS reported that CDC was in the process of revising its formal policies to ensure they included requirements for training and inspections for all of the agency's high-containment laboratories but did not provide an anticipated completion date. In December 2017, HHS reported that CDC's policies were in the initial stages of the clearance process and anticipated they would be finalized in fall 2018. As of September 2019, HHS had not provided an update on the status of these policies.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of the results of agency and select agent laboratory inspections to senior department officials.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that CDC was working with FDA and NIH to establish a process for notifying HHS leadership of inspection results through the department's Biosafety and Biosecurity Coordinating Council. HHS did not provide us with an anticipated time frame for implementing this notification practice or when the agencies plan to begin notifying HHS of inspection results. In August 2019, FDA reported that it continues to work with the Biosafety and Biosecurity Coordinating Council to establish a process for the routine reporting of these results but had not yet completed its actions. As of September 2019, HHS had not provided an update on the status NIH's actions.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should direct the Director of NIH and the Commissioner of FDA to require routine reporting of the results of agency laboratory inspections--and in the case of FDA, require routine reporting of select agent inspection results--to senior agency officials.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that NIH's ongoing practice is to report the results of external inspections to senior agency officials and, in May 2016, developed a standard operating procedure that outlines this reporting process. In March 2017, NIH officials provided assurance that its Division of Occupational Safety and Health provides NIH's intramural governing body with information about NIH's safety performance at least annually; officials further assured that this information includes the overall results of annual inspections (or audits, as NIH calls them) of all NIH laboratories and discussion of the top 10 most report safety infractions for the year. GAO considers NIH to have implemented the recommended action. GAO will close the overall recommendation once FDA has taken equivalent, appropriate action. As of August 2019, FDA reported that the agency began piloting a standardized agency-wide laboratory safety inspection checklist to ensure that all laboratories are inspected rigorously and consistently. As part of the pilot, all laboratories were to be inspected during the first 3 quarters of the calendar year. The agency said it planned to aggregate the results of the inspections, and trends and significant findings would be reported to FDA senior leadership in the fourth quarter of 2019. GAO will continue to monitor FDA's actions to implement this recommendation.

Recommendation: To ensure that federal departments and agencies have comprehensive and up-to-date policies and stronger oversight mechanisms in place for managing hazardous biological agents in high-containment laboratories and are fully addressing weaknesses identified after laboratory safety lapses, the Secretary of Health and Human Services should require routine reporting of incidents at CDC, FDA, and NIH laboratories to senior department officials.

Agency: Department of Health and Human Services
Status: Open

Comments: In August 2016, HHS reported that its Biosafety and Biosecurity Council was working to establish incident reporting requirements for CDC, FDA, and NIH but did not provide an anticipated completion date. HHS noted that NIH formally adopted a standard operating procedure that lays out the agency's requirements for reporting incidents to senior officials. In August 2019, FDA reported that it continues to work with the Biosafety and Biosecurity Coordinating Council to establish a process for the routine reporting of these results but had not yet completed its actions. As of September 2019, HHS had not provided an update on the status of NIH or CDC actions.

Recommendation: Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services. For example, Congress could consider consolidating the number of federal agencies involved in overseeing the safety and soundness of depository institutions, combining the entities involved in overseeing the securities and derivatives markets, transferring the remaining prudential regulators' consumer protection authorities over large depository institutions to the Consumer Financial Protection Bureau, and the optimal role for the federal government in insurance regulation, among other considerations.

Agency: Congress
Status: Open

Comments: At least two bills have been introduced in the 115th Congress that would change the financial regulatory structure, to some degree, to address fragmented and overlapping regulatory authorities among agencies, as GAO suggested in February 2016. The Financial CHOICE Act of 2017 (H.R. 10) was introduced on April 26, 2017, passed the House in June 2017 and the Senate held hearings in July 2017. Among other things, the Financial CHOICE Act of 2017 calls for the federal financial regulatory agencies to implement policies and procedures to minimize the duplication of effort with respect to enforcement actions. For example, it eliminates the authority of the Consumer Financial Protection Bureau to supervise and examine financial institutions and also eliminates the regulatory and enforcement authority of the agency with respect to unfair, deceptive, and abusive acts and practices by depository institutions. Such actions could help reduce fragmentation and overlap in the financial regulatory structure. In addition, the Economic Growth, Regulatory Relief, and Consumer Protection Act (S.2155) was introduced on November 16, 2017 and passed in the Senate in March 2018. The bill, to some extent, may help address fragmentation, overlap, and duplication in the financial regulatory structure. For example, the bill helps to address fragmentation in insurance oversight by finding that the federal agencies and office involved in insurance regulation should achieve consensus with state insurance regulators when they participate in negotiations on insurance issues before any international forum of financial regulators or supervisors, and create an advisory committee to discuss and report on insurance policy issues including international issues. GAO will continue to monitor the reform efforts to determine the extent to which they could help to address fragmentation and overlap between the federal financial regulatory agencies and reduce opportunities for inefficiencies in the regulatory process and inconsistencies in how regulators conduct oversight activities over similar types of institutions, products, and risks.

Recommendation: Congress should consider whether legislative changes are necessary to align FSOC's authorities with its mission to respond to systemic risks. Congress could do so by making changes to FSOC's mission, its authorities, or both, or to the missions and authorities of one or more of the FSOC member agencies to support a stronger link between the responsibility and capacity to respond to systemic risks. In doing so, Congress could solicit information from FSOC on the effective scope of its collective designation authorities, including any gaps.

Agency: Congress
Status: Open

Comments: While some legislative action has been taken that may alter FSOC's authorities, it is not clear that the legislation would address GAO's February 2016 suggestion. The Financial CHOICE Act of 2017 (H.R. 10) was introduced on April 26, 2017, passed the House in June 2017, and the Senate held hearings in July 2017. The bill would change FSOC's authorities by repealing its authorities to designate non-bank financial institutions and financial market utilities (i.e., payment, clearing, and settlement systems) as "systemically important." In addition, the Economic Growth, Regulatory Relief, and Consumer Protection Act (S.2155) was introduced on November 16, 2017 and passed in the Senate in March 2018. The bill may alter some of FSOC's authorities. However, it is unclear if these acts would alter FSOC's mission to better align it with its authorities to respond to systemic risk or addresses a gap in systemic risk mitigation mechanisms. Without legislative changes that would align FSOC's authorities with its mission, FSOC may lack the tools it needs to comprehensively address systemic risks that may emerge and a gap will continue to exist in the mechanisms for mitigating systemic risks. GAO will continue to monitor the reform efforts to determine the extent to which they help to align FSOC's authorities with its mission to respond to systemic risks.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to track the value of advance premium tax credit and cost-sharing reduction (CSR) subsidies that are terminated or adjusted for failure to resolve application inconsistencies, and use this information to inform assessments of program risk and performance. (See related recommendation 7.)

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported it considers this recommendation closed because it expanded the use of analytics to analyze the value of premium tax credit and CSR subsidies that are eliminated or adjusted for 2015 actions at the policy level, and that CMS continues to analyze the data to develop future operations changes. In May 2016, we requested documentation of these actions, including (1) information produced using the capability described; (2) ways in which this information is being used for analysis for purposes such as program operations, monitoring, risk assessment, or fraud cleaning; and (3) a description of the future operational changes contemplated based on the analyses done. However, as of December 2018, HHS officials had not provided GAO with evidence that the agency had implemented this recommendation. GAO said it would continue to monitor the agency's progress in this area. In March 2019, CMS reversed its initial concurrence with the recommendation, citing inability to obtain necessary data from another agency and a legal opinion on CSR subsidies. GAO kept the recommendation open, saying the developments HHS cited were irrelevant. In December 2019, after HHS reiterated its non-concurrence, GAO continued to maintain the recommendation as open.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to, in the case of CSR subsidies that are terminated or adjusted for failure to resolve application inconsistencies, consider and document, in conjunction with other agencies as relevant, whether it would be feasible to create a mechanism to recapture those costs, including whether additional statutory authority would be required to do so; and for actions determined to be feasible and reasonable, create a written plan and schedule for implementing them.

Agency: Department of Health and Human Services
Status: Open

Comments: As of December 2018, CMS officials said the Department of Health and Human Services (HHS) had received a legal opinion from the U.S. Attorney General regarding validity of CSR payments, which prompted the agency to halt the payments as of October 2017. CMS officials said that if the recommendation were to be implemented, it would amount to creating new rules and a process for a program feature that no longer exists. However, in January 2019, HHS indicated that the administration supports a legislative solution that would appropriate CSR payments, and GAO continues to monitor for relevant legislative action. If funding becomes available to restore CSR payments, then implementing this recommendation would aid CMS in reducing improper payments. In December 2019, CMS reversed its initial concurrence with the recommendation, citing the legal opinion. GAO, however, continued to maintain the recommendation as open.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to identify and implement procedures to resolve Social Security number inconsistencies where the Marketplace is unable to verify Social Security numbers or applicants do not provide them.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported that it considered this recommendation open and was working on implementing functionality for updating consumers' Social Security numbers (SSN) and their eligibility based on the correct SSN. HHS reported that is it targeting deployment of the SSN update functionality in 2017. However, as of December 2018, HHS officials had not provided GAO with evidence that the agency had implemented this recommendation. In December 2019, HHS told GAO it continues to evaluate steps necessary to implement the recommendation, and expects close-out by October 2020. We will continue to monitor the agency's progress in this area.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to reevaluate CMS's use of Prisoner Update Processing System (PUPS) incarceration data and make a determination to either (a) use the PUPS data, among other things, as an indicator of further research required in individual cases, and to develop an effective process to clear incarceration inconsistencies or terminate coverage, or (b) if no suitable process can be identified to verify incarceration status, accept applicant attestation on status in all cases, unless the attestation is not reasonably compatible with other information that may indicate incarceration, and forego the inconsistency process.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported it considers this recommendation closed because in 2015, it made the determination to no longer require application filers to submit documentation regarding incarceration status. We were aware of that determination, but the recommendation was to reevaluate use of PUPS from the specific standpoint of using the data as it was intended to be used as in indicator of further research and then draw a conclusion on the use of the data. In May 2016, we requested documentation demonstrating that in the period since we made this recommendation, CMS has undertaken the reevaluation in the fashion that we indicated. As of December 2018, HHS officials had not provided GAO with evidence that the agency had implemented this recommendation. In December 2019, HHS told GAO it continues to evaluate steps necessary to implement the recommendation, and expects close-out by October 2021. We will continue to monitor the agency's progress in this area.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to create a written plan and schedule for providing Marketplace call center representatives with access to information on the current status of eligibility documents submitted to CMS's documents processing contractor.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported that since May 2015, call center representatives have received daily updates on the status of eligibility documentation. HHS reported that it is working to provide call center representatives with real-time data. HHS reported it considers this February 2016 recommendation to be closed. In May 2016, GAO noted that its February 2016 recommendation was focused on providing such real-time capability and requested (1) confirmation that call center representatives currently have on-demand, real-time access to up-to-date, application-level document status; and documentation showing development and implementation of this capability; or (2) a written plan and schedule for providing this capability as recommended. However, as of December 2018, HHS officials had not provided GAO with evidence that the agency has implemented this recommendation. In December 2019, the agency provided new evidence in support of closure, for which GAO requested supporting information. We will continue to monitor the agency's progress in this area.

Recommendation: To better oversee the efficacy of PPACA's enrollment control process; to better monitor costs, risk, and program performance; to assist with tax compliance; to strengthen the eligibility determination process; to provide applicants with improved customer service and up-to-date information about submission of eligibility documentation; and to better document agency activities, the Secretary of Health and Human Services should direct the Acting Administrator of CMS to fully document prior to implementation, and have readily available for inspection thereafter, any significant decision on qualified health plan enrollment and eligibility matters, with such documentation to include details such as policy objectives, supporting analysis, scope, and expected costs and effects.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In April 2016, HHS reported it considers this recommendation closed because CMS prepares an annual Marketplace and Related Programs Cycle Memo to fulfill reporting requirements for internal control. The Memo describes all significant eligibility and enrollment policy and process changes, including new internal key controls associated with these changes, and the 2015 Memo was released in September 2015. In May 2016, we notified HHS that its actions do not close the recommendation. Information contained in the Memos is after-the-fact and while useful, does not meet the full range of documentation contemplated by our recommendation, especially development and analysis of changes prior to implementation. As of December 2018, HHS officials had not provided GAO with evidence that the agency has implemented this recommendation. In December 2019, HHS reversed its initial concurrence with the recommendation and said it would provide additional information on that decision. We will continue to monitor the agency's progress in this area.

Recommendation: To provide reasonable assurance that USCIS's fraud prevention controls are adequate and effectively implemented, and ensure that asylum officers and FDNS immigration officers have the capacity to detect and prevent fraud, the Secretary of Homeland Security should direct USCIS to conduct regular fraud risk assessments across the affirmative asylum application process.

Agency: Department of Homeland Security
Status: Open
Priority recommendation

Comments: In October 2016, DHS indicated that USCIS had established a working group and collected fraud trend information from all eight asylum offices that will be used to inform the development of a risk assessment framework. According to USCIS officials, the Asylum Division, in cooperation with other relevant internal stakeholders such as USCIS's Fraud Detection and National Security Directorate (FDNS), completed a draft asylum fraud risk assessment in September 2017. In January 2019, Asylum Division officials told us that they had identified limitations in the data used in the draft assessment. Thus, USCIS was working to complete a revised qualitative risk assessment report for our review. Officials also told us that the report was undergoing additional revisions due to changes in 2019 to the affirmative asylum program, and to reflect updates to the resources dedicated to FDNS's functions. As of October 2020, USCIS anticipates finalizing the report by the end of December 2020. Regularly assessing fraud risks across the affirmative asylum process would provide USCIS more complete information on risks that may affect the integrity of the process and therefore help USCIS target its fraud prevention efforts to those areas that are of highest risk.

Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to develop and periodically update a set of authoritative climate change observations and projections for use in federal decision making, which state, local, and private sector decision makers could also access to obtain the best available climate information.

Agency: Executive Office of the President
Status: Open

Comments: As of January 2020, the Executive Office of the President has yet to take action in response to this recommendation.

Recommendation: To help federal, state, local, and private sector decision makers access and use the best available climate information, the Executive Office of the President should designate a federal entity to create a national climate information system with defined roles for federal agencies and nonfederal entities with existing statutory authority.

Agency: Executive Office of the President
Status: Open

Comments: As of January 2020, the Executive Office of the President has yet to take action in response to this recommendation.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretary of the Treasury should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the financial services sector's cybersecurity progress.

Agency: Department of the Treasury
Status: Open

Comments: The Department of the Treasury, as the sector-specific agency for the financial services sector, continues to develop initiatives intended to enhance the sector's cybersecurity. In 2016, Treasury developed and promulgated a set of seven fundamental elements or critical building blocks for sector stakeholders' cybersecurity, disseminated a template for financial sector cyber exercises, and promoted the NIST Cybersecurity Framework throughout the sector. However, they have not provided evidence of metrics implemented, and the 2015 sector-specific plan does not include specific metrics to track and report on their effectiveness. We will continue to monitor Treasury's efforts to create specific metrics and related reports on the sector's cybersecurity progress.

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Agriculture
Status: Open

Comments: The Department of Agriculture (USDA), as the co-sector specific agency for the food and agriculture sector, with the Department of Health and Human Services (HHS) continues to implement cybersecurity-related activities for the sector. In particular, USDA, through the sector coordination council, routinely shares best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, USDA has hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As USDA and HHS continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Secretaries of Agriculture and Health and Human Services (as co-SSAs) should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the food and agriculture sector's cybersecurity progress.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS), as the co-sector specific agency for the food and agriculture sector, with the Department of Agriculture (USDA) continues to implement cybersecurity-related activities for the sector. In particular, through the sector coordination council, they routinely share best practices and informational bulletins from the Department of Homeland Security on cybersecurity with sector stakeholders via the Homeland Security Information Network. In addition, at semi-annual council meetings, they have hosted roundtable discussions of cybersecurity challenges and best practices. No evidence of performance metrics to track and report on the SSAs' activities or the sector's cybersecurity progress has been provided. As HHS and USDA continue to carry out their sector-specific agency role, we will continue to monitor their efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities

Recommendation: To better monitor and provide a basis for improving the effectiveness of cybersecurity risk mitigation activities, informed by the sectors' updated plans and in collaboration with sector stakeholders, the Administrator of the Environmental Protection Agency should direct responsible officials to develop performance metrics to provide data and determine how to overcome challenges to monitoring the water and wastewater systems sector's cybersecurity progress.

Agency: Environmental Protection Agency
Status: Open

Comments: The Environmental Protection Agency (EPA) continues to develop and implement activities in support of the water and wastewater sector's cybersecurity such as a cyber-attack risk assessment tool and cybersecurity training for sector partners. The 2015 water and wastewater sector-specific plan calls for assessing performance and reporting on sector cybersecurity progress; however, the plan does not state specific measures. In 2017, agency officials stated that the development of performance metrics in collaboration with sector partners was underway; however, EPA has not provided evidence of the metrics or any tracking effort. As EPA continues to carry out its sector-specific agency role, we will continue to monitor its efforts and associated performance metrics to be developed to demonstrate the effectiveness of these activities.

Recommendation: To improve the effectiveness of DOD's strategy for preventing sexual assault in the military, as part of the department's next biennial update to the 2014-16 sexual-assault prevention strategy, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to identify risk and protective factors for all of its domains, including the military community and its leaders.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In April 2019, DOD issued a Prevention Plan of Action (PPoA) that will serve as a framework for preventing sexual assault. The PPoA contains 29 actions DOD will take to implement the prevention strategy. In March 2020, DOD officials stated that they had chartered a Prevention Collaboration Forum, which consists of subject matter experts, to address destructive behaviors which may share the same risk and protective factors as sexual assault. Additionally, DOD officials stated that research had begun on identifying the department's risk and protective factors. The officials expected the completed risk studies to be published internally in April 2020 and June 2020. We will continue to monitor DOD's efforts and update the recommendation's status when more information becomes available.

Recommendation: To help improve DOD's ability to measure the effectiveness of the department's efforts in preventing sexual assault in the military, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Secretaries of the military departments, to fully develop the department's performance measures for the prevention of sexual assault so that the measures include all key attributes of successful performance measures.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In April 2019, DOD issued a Prevention Plan of Action (PPoA) that will serve as a framework for a strategic approach to preventing sexual assault. The PPoA contains 29 actions DOD plans to take to implement the prevention strategy, and instructs DOD to continuously evaluate sexual assault prevention activities. In December 2019, DOD officials stated that they were in the process of conducting an assessment of each of the services' efforts to implement the prevention strategy. Additionally, DOD officials stated that they are developing a milestone report to be issued by the end of fiscal year 2020 that will include updates on all of the department's efforts to prevent sexual assault. DOD is also planning to issue a report in fiscal year 2023 that will include a complete evaluation of the department's efforts to prevent sexual assault. We will continue to monitor DOD's efforts and update the recommendation's status when more information becomes available.

Recommendation: To help ensure widespread adoption and implementation of DOD's sexual-assault prevention strategy and to fulfill its role as a framework that can assist leaders and planners in the development of appropriate tasks, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness, in conjunction with the Secretaries of the military departments, to ensure the military services' Sexual Assault Prevention and Response policies are aligned with the department's prevention strategy.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In April 2019, DOD issued a Prevention Plan of Action (PPoA) that will serve as a framework for a strategic approach to preventing sexual assault. The PPoA contains 29 actions DOD will take to implement the prevention strategy. The PPoA also directs the military services to review and revise their policies to reduce sexual assault and execute prevention activities. According to DOD officials, these efforts are currently underway. We will update the status of this recommendation when more information becomes available.