Reports & Testimonies

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

Recommendations Database

GAO’s recommendations database contains report recommendations that still need to be addressed. GAO’s priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. Below you can search only priority recommendations, or search all recommendations.

Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.

As of October 25, 2020, there are 4812 open recommendations, of which 473 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.

Browse or Search Open Recommendations

Search


Have a Question about a Recommendation?

  • For questions about a specific recommendation, contact the person or office listed with the recommendation.
  • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.

« Back to Results List Sort by   

Results:

Subject Term: "Security policies"

4 publications with a total of 11 open recommendations
Download these results in CSV format or XLSX format.
VA Facility Security: Policy Review and Improved Oversight Strategy Needed
GAO-18-201, Jan 11, 2018
Director: Lori Rectanus
Phone: (202) 512-2834

2 open recommendations
Display
Recommendation: The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it was in the process of working with the lnteragency Security Committee (ISC) to update its vulnerability assessment program, with a target completion date of January 2019. Despite multiple attempts, as of June 2020, VA has not provided any information on its progress in updating its program.
Recommendation: The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it had identified OS&LE as the internal entity responsible for conducting a complete review of VA's current risk management policies and processes for VA facilities and that it was reviewing an ISC-certified risk assessment tool for possible implementation consideration. Despite multiple attempts, as of June 2020, VA had not provided an update on its efforts to implement this recommendation.
Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD
GAO-17-668, Jul 27, 2017
Director: Kirschbaum, Joseph W
Phone: (202) 512-9971

2 open recommendations
Display
Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.
Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.
National Mall: Actions Needed to Better Manage Physical Security Risks
GAO-17-679, Jul 27, 2017
Director: Lori Rectanus
Phone: (202) 512-2834

1 open recommendations
Display
Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

Agency: National Gallery of Art
Status: Open

Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. In February 2019, the National Gallery approved the Office of Protection Services' 5-year strategic plan, which included goals for security. However, as of June 2020, work to establish performance measures was not yet complete. We will continue to monitor the National Gallery's progress in implementing this recommendation
Federal Chief Information Security Officers: Opportunities Exist to Improve Roles and Address Challenges to Authority
GAO-16-686, Aug 26, 2016
Director: Gregory C. Wilshusen
Phone: (202) 512-6244

6 open recommendations
Display
Recommendation: To assist CISOs in carrying out their responsibilities, the Director of OMB should issue guidance for agencies' implementation of the FISMA 2014 requirements to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: The Office of Management and Budget (OMB) partially concurred with this recommendation, but does not intend to directly issue guidance as recommended. As of June 2020, OMB has not provided sufficient evidence that it has implemented this recommendation. We will continue to monitor OMB's implementation of this recommendation.
Recommendation: To ensure that the role of the SISO is defined in department policy in accordance with FISMA 2014, the Secretary of Defense should define the SISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of Defense
Status: Open

Comments: In response to our report, DOD partially concurred with our recommendation; however, DOD subsequently concurred with the recommendation and is taking steps to implement it. The department stated that the issuance of an updated Cyber Incident Handling guidance is on track to be completed and coordinated in the third quarter of fiscal year 2018. As of June 2020, it has not yet provided sufficient evidence that it has implemented the recommendation. When we confirm what actions DOD has taken, we will provide updated information.
Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of State should define the CISO's role in department policy for ensuring that the department has procedures for incident detection, response, and reporting.

Agency: Department of State
Status: Open

Comments: The Department of State (State) concurred with this recommendation. However, as of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. When we receive additional evidence from State, we will review it to determine whether the department has addressed the recommendation.
Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that subordinate security plans are documented for the department's information systems.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.
Recommendation: To ensure that the role of the CISO is defined in department policy in accordance with FISMA 2014, the Secretary of Transportation should define the CISO's role in department policy for ensuring that security controls are tested periodically.

Agency: Department of Transportation
Status: Open

Comments: The Department of Transportation (DOT) concurred with the recommendation and is currently updating its Cybersecurity Policy. The Department plans to be complete by June 29, 2019. As of June 2020, the department has not yet provided sufficient evidence that it has implemented the recommendation. Upon receiving additional evidence from DOT, we will review it to determine whether the department has addressed the recommendation.
Recommendation: To ensure that the role of the SAISO is defined in agency policy in accordance with FISMA 2014, the Administrator of the National Aeronautics and Space Administration should define the SAISO's role in agency policy for oversight of security for information systems that are operated by contractors on the agency's behalf.

Agency: National Aeronautics and Space Administration
Status: Open

Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. As of June 2020, NASA stated that the agency is working to update the relevant policy to address this recommendation, but the update is taking longer than expected; NASA expects the policy to be updated and the review process to be completed by November 30, 2020. We will examine the evidence when NASA provides it.