Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment implements DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant DOD guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Under Secretary of Defense for Acquisition and Sustainment should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. In its response, the department noted that the Under Secretary of Defense for Acquisition and Sustainment will oversee updates to relevant guidance related to supply processes and that they anticipate the updates to be complete by May 31, 2021. The department further noted that the Under Secretary of Defense for Acquisition and Sustainment will ensure updates are made to the acquisition policies, when and if appropriate. However, the department stated that its Adaptive Acquisition Framework currently provides all of the necessary flexibility required. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Army should implement DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant Department of the Army guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Secretary of the Army should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 2)

Agency: Department of Defense: Department of the Army
Status: Open

Comments: DOD concurred with this recommendation. In its response, the department noted that the Army would update, as appropriate, Army guidance related to acquisition and supply upon updates to DOD's climate adaptation directive and other applicable DOD or federal regulations. However, DOD noted that it does not plan to update its acquisition guidance in response to our recommendation that DOD do so. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Navy should implement DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant Department of the Navy guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Secretary of the Navy should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 3)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: DOD partially concurred with this recommendation. In its response, the department noted that the Department of the Navy had suggested that the recommendation be restated to recommend that the Department of the Navy ensure that its guidance and procedures are updated to align with DOD's directive on climate adaptation upon issuance of an updated directive. However, DOD has not identified any plans to update its directive on climate change adaptation. Thus, we continue to believe that the Department of the Navy should update its guidance related to acquisition and supply to incorporate the current guidance in DOD's climate adaptation directive, which it has not yet done. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of the Air Force should implement DOD Directive 4715.21 on climate change adaptation and resilience by updating, as appropriate, relevant Department of the Air Force guidance related to acquisition and supply processes to incorporate the directive's provisions pertaining to those processes. In doing so, the Secretary of the Air Force should consider providing guidance as to how departmental officials may leverage already existing information regarding private companies. (Recommendation 4)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: DOD concurred with this recommendation. In its response, the department noted that the Air Force will work with the Office of the Under Secretary of Defense for Acquisition and Sustainment and the other military services to develop specific policies that address climate-related risks to DOD contractors. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Policy, in coordination with the Under Secretary of Defense for Acquisition and Sustainment, the Secretaries of the military departments, and any other governmental and private-sector partners, as appropriate, determine what approaches may be feasible in conducting mission assurance related assessments of commercially owned facilities. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: DOD concurred with this recommendation. In its response, the department noted that formal mission assurance assessments are limited in scope in order to provide additional rigor to protect DOD's most critical capabilities. However, the department stated that the Office of the Under Secretary of Defense for Policy would work with the Office of the Under Secretary of Defense for Acquisition and Sustainment's Defense Contract Management Agency to better understand DOD's commercial dependencies. We will continue to monitor the status of this recommendation.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Policy, in coordination with the Under Secretary of Defense for Acquisition and Sustainment, the Secretaries of the military departments, and any other governmental and private-sector partners, as appropriate, issue new or update existing guidance, based upon the determination of what approaches may be feasible, to clarify the steps that DOD officials involved in the mission assurance process may take to apply the mission assurance framework to commercially owned facilities, as appropriate, to include consideration of risks related to climate change and extreme weather. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with this recommendation. In its response, the department noted that it concurs with the need to clarify steps that officials may take to apply the mission assurance framework to defense critical infrastructure and critical defense industrial base commercially owned facilities, to include consideration of risks related to climate change and extreme weather. However, the department further noted that it does not concur with doing this for all commercial facilities because conducting such assessments for all commercially owned facilities falls outside the capacity and authority of DOD to conduct mission assurance assessments. However, we had not recommended they conduct such assessments for all commercial facilities. We will continue to monitor the status of this recommendation.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Deputy Secretary of Homeland Security should ensure that S&T take steps to more fully incorporate practices for developing milestones within DHS's budget preparation guidance, into the Surface Transportation Explosive Threat Detection program. (Recommendation 1)

Agency: Department of Homeland Security
Status: Open

Comments: In September 2019, GAO reported on a Department of Homeland Security's (DHS) Science and Technology Directorate (S&T) research and development (R&D) program to develop technologies to secure mass transit systems. DHS budget guidance requires S&T to develop results-oriented milestones to track program progress. GAO found that the S&T program's milestones did not clearly link to key activities described in program plans, and thus, were not results oriented. Therefore, we recommended that DHS develop milestones to track its progress developing the technologies that fully adhered to guidance. DHS concurred with our recommendation, and in February 2020, reported that S&T's Finance and Budget Division validated that milestones for the program were compliant with DHS guidance. GAO is currently working with DHS S&T to review documentation related to the validation process in order to close the recommendation..

Recommendation: The Administrator of TSA should develop a mechanism to more routinely and comprehensively share appropriate information on the performance of mass transit security technologies (such as the annual sensor catalog and security technology assessments) with mass transit operators and stakeholders until DHS completes work on a more permanent information sharing resource. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In September 2019, GAO reported on key mechanisms that TSA uses to collaborate and share information on identifying capability gaps and security technologies with stakeholders, including mass transit operators. We found that TSA regularly assesses commercially available technologies, but does not routinely or comprehensively share its results with mass transit operators. Therefore, we recommended that TSA develop a mechanism to routinely and comprehensively share security technology information with mass transit operators. TSA concurred with our recommendation, and in February 2020, reported implementing two of three planned efforts to better share security technology information, including steps to increase distribution of its annual publication on security technologies and to provide regular updates on assessed technologies at routine stakeholder meetings. We will continue to monitor TSA efforts with a third effort in order to close this recommendation.

Recommendation: The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)

Agency: Department of Energy
Status: Open
Priority recommendation

Comments: DOE agreed with our recommendation. In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE's Multiyear Plan for Energy Sector Cybersecurity. To fully address our recommendation, DOE should coordinate with DHS and other relevant stakeholders to develop a plan for implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy.

Recommendation: FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)

Agency: Federal Energy Regulatory Commission
Status: Open

Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The U.S. Customs and Border Protection issued an updated Physical Security Policy and Procedures Handbook in January 2020, which includes a series of internal controls and physical security performance measures. We have reviewed the handbook and requested additional information from CBP to determine whether it meets ISC's Risk Management Process for Federal Facilities.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) has developed, initially tested, and deployed a risk assessment methodology that aligns with the Interagency Security Committee Risk Management Process for Federal Facilities. In August and September of 2019, FAA trained some staff on the new methodology, which is being integrated into the facility security reporting system. After resolving any software compatibility issues, completing all necessary testing and training, and issuing the associated security policy, FAA expects to fully implement the methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) drafted an updated facility security policy and distributed it for comment in October 2019. It received over 300 comments that are currently being addressed. Once completed, the policy is to incorporate a methodology that fully aligns with the Interagency Security Committee Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. FAA plans to publish the new policy to coincide with the implementation of its risk-assessment methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration's (FAA) update of its facility security policy and its associated databases should help to improve the monitoring and use of physical security information to better assist with risk assessment decision-making. In February 2020, FAA officials said that its facility security reporting system is to be improved with new metrics and executive level reporting. Such improvements are to result in increased program oversight, risk awareness, and mitigation planning. These improvements are to be completed by December 31, 2020 to coincide with full implementation of the components of the risk management framework, such as the risk assessment methodology, personnel training, and policy publication.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture is drafting a revised physical-security regulation and manual that is to align with risk management processes, including a tracking and monitoring component. It expects to implement a revised process by the end of 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture (USDA) recognizes the need to develop and implement a database to track and monitor physical security assessment schedules across all of its components. As a result, USDA plans to request funding in the President's Budget for fiscal year 2021 to design and build such a database. If sufficient funding is secured and development efforts go as planned, the agency anticipates having the database operational by the end of 2021.

Recommendation: The Under Secretary of Defense for Intelligence, in coordination with the DOD Chief Information Officer, the Under Secretaries of Defense for Policy; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should conduct operations security surveys that identify IoT security risks and protect DOD information and operations, in accordance with DOD guidance, or address operations security risks posed by IoT devices through other DOD risk assessments.

Agency: Department of Defense: Office of the Under Secretary of Defense for Intelligence
Status: Open

Comments: DOD concurred with this recommendation. We reached out to DOD in August 2018 on this recommendation and are awaiting their response.

Recommendation: The Principal Cyber Advisor, in coordination with the DOD Chief Information Officer; the Under Secretaries of Defense for Policy; Intelligence; Acquisition, Technology, and Logistics; and Personnel and Readiness; and with military service and agency stakeholders, should (1) review and assess existing departmental security policies and guidance--on cybersecurity, operations security, physical security, and information security--that may affect IoT devices; and (2) identify areas where new DOD policies and guidance may be needed--including for specific IoT devices, applications, or procedures--and where existing security policies and guidance can be updated to address IoT security concerns.

Agency: Department of Defense: Office of the Principal Cyber Advisor to the Secretary of Defense
Status: Open

Comments: DOD concurred with this recommendation. DOD has implemented one geo-location policy in 2018 relating to operations security that addresses a portion of this recommendation.

Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

Agency: National Gallery of Art
Status: Open

Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. In February 2019, the National Gallery approved the Office of Protection Services' 5-year strategic plan, which included goals for security. However, as of June 2020, work to establish performance measures was not yet complete. We will continue to monitor the National Gallery's progress in implementing this recommendation

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to assess and document how the alternative technological solutions being considered will fully meet operational needs related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that it plans to assess and document requirements related to ultralight aircraft threats and how technological solutions will address these requirements as part of U.S. Customs and Border Protection (CBP) Air and Marine Operations (AMO) air domain awareness efforts. In March 2018, CBP completed an Air Domain Awareness Capability Analysis Report that identifies current capability gaps, including those related to ultralight aircraft. CBP stated that it plans to build upon the Capability Analysis Report to identify mission needs, a concept of operations, and operational requirements to address ultralight aircraft and other threats in the air domain. In February 2020, AMO reported that, in 2019, it conducted a technical assessment of one technology and plans to assess other systems in 2020 and 2021 to help determine if they fit into AMO's larger strategic vision for persistent wide area surveillance to address ultralight aircraft and other threats in the air domain. To fully address our recommendation, CBP should assess and document how alternative solutions will meet operational requirements related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP and the Director of ICE to jointly establish and monitor performance measures and targets related to cross-border tunnels.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred with this recommendation and stated that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement will review available information and develop performance measures and targets as deemed appropriate. As of March 2020, CBP and ICE have not reported taking any actions to develop performance measures and targets. To fully address our recommendation, CBP and ICE should establish and monitor performance measures and targets related to cross-border tunnels.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commissioner of CBP to establish and monitor performance targets related to ultralight aircraft.

Agency: Department of Homeland Security
Status: Open

Comments: DHS concurred and stated that within U.S. Customs and Border Protection (CBP), Air and Marine Operations and the U.S. Border Patrol are developing a joint performance measure and targets for interdicting ultralight aircraft. However, in December 2019, CBP reported that it will no longer pursue establishing a performance measure because it found that the ultralight aircraft interdiction rate fluctuated year to year, and that the number of ultralight aircraft incidents had been trending downward. Subsequently, in September 2020, CBP officials stated that they had reinitiated efforts to develop a performance measure and target in response to our continued belief that they can be set and would help CBP monitor performance to ensure that technology investments and operational responses to address ultralight aircraft are effective. To fully address our recommendation, CBP should establish a measure and monitor performance related to ultralight aircraft.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the U.S. Customs and Border Protection (CBP)-U.S. Immigration and Customs Enforcement (ICE) tunnel committee to convene and establish standard operating procedures for addressing cross-border tunnels, including procedures for sharing information.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. However, CBP and ICE agreed that strengthening operational procedures may be beneficial and stated that they will jointly review procedures and discuss revising and/or consolidating the procedures. In May 2018, CBP stated that it is looking for opportunities to standardize procedures for the detection, interdiction, mapping, and remediation of cross-border tunnels. To this end, CBP has plans to develop a standardized training on tunnel identification and tactics, techniques, and procedures for different types of tunnels. In addition, CBP is working to develop a consistent process that will facilitate coordination and collaboration with ICE. In March 2019, CBP reported that CBP and ICE have begun to routinely meet to collectively develop processes for using tunnel robotics, including processes to enhance communication between CBP and ICE. In September 2020, CBP and ICE reported that they do not plan to take any additional steps to address this recommendation. To fully address our recommendation, CBP and ICE should establish standardized procedures for addressing tunnels, including procedures for sharing information with one another.

Recommendation: To help ensure that efforts to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective and that managers and stakeholders have the information needed to make decisions, the Secretary of Homeland Security should direct the Commandant of the Coast Guard, Commissioner of CBP, and the Director of ICE to establish and monitor Regional Coordinating Mechanisms performance measures and targets related to panga boat and recreational vessel smuggling.

Agency: Department of Homeland Security
Status: Open

Comments: DHS did not concur with this recommendation. DHS stated that that it believes that by establishing common terminology to address our first recommendation, the RECOMs will have more reliable, usable analyses to inform their maritime interdiction efforts. However, DHS did not believe that performance measures and targets related to smuggling by panga boats would provide the most useful strategic assessment of operations to prevent all illicit trafficking, regardless of area of operations or mode of transportation. DHS also cited the recent creation of the DHS Office of Policy, Strategy, and Plans that is to work with U.S. Coast Guard, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and other components and offices to better evaluate the effectiveness of all operations that work to prevent the illegal entry of goods and people into the country, as appropriate. In February 2020, DHS reported that the department had not taken any further actions to implement this recommendation. We continue to believe that the recommendation is valid and will monitor any actions DHS takes that are responsive to it. For example, in response to a requirement in the National Defense Authorization Act for Fiscal Year 2017, DHS issued reports in May 2018, February 2019, and August 2020 that contain metrics and planned metrics to measure the effectiveness of border security in the maritime environment and other domains. Planned metrics that DHS does not yet have a methodology to measure across all components include situational awareness in the maritime environment, illicit drugs removal rate, and DHS maritime threat response rate. To fully address our recommendation, DHS should measure its performance related to smuggling across U.S. maritime borders.

Recommendation: To address previously identified security vulnerabilities, the Secretary of Veterans Affairs should scan non-Windows network devices in authenticated mode.

Agency: Department of Veterans Affairs
Status: Open

Comments: Veterans Affairs concurred with the recommendation but as of June 2020 has not provided sufficient evidence that it has implemented the recommendation. We will continue to monitor the situation.