GAO’s recommendations database contains report recommendations that still need to be addressed.
GAO’s priority recommendations are those that we believe warrant priority attention.
We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues.
Below you can search only priority recommendations, or search all recommendations.
Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations.
Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.
As of April 1, 2020, there are 4994 open recommendations, of which 380 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.
Browse or Search Open Recommendations
Have a Question about a Recommendation?
For questions about a specific recommendation, contact the person or office listed with the recommendation.
For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or email@example.com.
Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.
Agency: Department of Homeland Security Status: Open Priority recommendation
Comments: We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. DHS, through TSA, has taken steps to address this recommendation by having an internal controls assessment conducted of the TWIC program's enrollment, background checking, credential issuance, and continued eligibility review. In February 2018, TSA, with assistance from DHS's Science and Technology Directorate, initiated a study with a Homeland Security Operational Analysis Center to conduct an assessment of the TWIC program's security effectiveness in the maritime environment. The study was received by DHS in August 2019 and as of January 2020 is undergoing review by the Office of Management and Budget. The study plan sets forth methods for assessing the TWIC program's planned use with card readers. However, the study will not assess information systems controls and related risks for reasonably assuring that use of TWIC with readers and associated systems used for access control decisions are reliable and not surreptitiously altered by cyber intrusions or attack. This is notable as one of the TWIC program's four defined mission needs-reason for the program-is to ensure that unauthorized individuals are not able to defeat or otherwise compromise the access system in order to be granted permissions that have been assigned to an authorized individual. In September 2019 DHS noted that the assessment would not review cyber vulnerabilities of access control systems because the issue was not specifically cited in our report. However, the basis for our recommended effectiveness assessment, which is to include addressing internal control weaknesses, is that an internal controls assessment of the TWIC program identifying related weaknesses and risks be conducted. Consideration of systems and related control activities used to achieve objectives and respond to risks is a principal of internal control assessments. Moreover, it is directly relevant for an access control program, such as the TWIC program, that is proposed to rely on the interplay of systems to achieve its central security objective. In addition, based on our review of documentation provided, the assessment does not include an assessment of the federally managed single credential approach in contrast to federally regulated decentralized options, such as the SIDA airport credentialing model, the Hazardous Materials endorsement for truck drivers (wherein an endorsement is added to a driver's license), the federal government's own agency-specific credentialing model which relies on organizational sponsorship and credentials with agency-specific security features, or any combination thereof. Absent an assessment of controls for ensuring the reliable use of TWIC with readers and the above-noted types of credentialing approaches, the study will fall short in meeting our recommendation and the deficiencies identified in our report. With consideration of the above noted shortfalls, DHS should proceed to conduct an assessment of the TWIC program's effectiveness to determine whether the benefits of continuing to implement and operate the program in its present form and planned use with readers surpass the costs. As of January 2020, DHS reports that the planned December 2019 delivery of the study to GAO is delayed pending a review by the Office of Management and Budget. DHS's revised estimated completion date for addressing GAO's recommendation(s) is now March 31, 2020. We will assess the information provided in consideration of recommendation closure once received.