Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task an integrated project team, made up of an IT project manager and business owner, with including specific actions in the Public Health and Medical Situational Awareness Strategy Implementation Plan for conducting all activities required to establish and operate the network.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of January 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Further, HHS has not provided us with a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make the progress needed to establish an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019.

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to task the integrated project team with developing a project management plan that includes measurable steps--including a timeline of tasks, resource requirements, estimates of costs, and performance metrics--that can be used to guide and monitor HHS's actions to establish the network defined in the plans.

Agency: Department of Health and Human Services
Status: Open

Comments: Officials have previously acknowledged that a public health situational awareness network capability is important for identifying, processing, and comprehending data in real-time and stated that such a capability requires coordination and participation from numerous federal entities, including numerous HHS's operating divisions. However, as of February 2020 agency officials have not indicated whether or not they concur with the recommendation, nor have they taken any action or provided a plan of action describing how they would implement the recommendation. Until steps are taken to implement our recommendation, HHS may not make progress toward establishing an electronic public health situational awareness network capability mandated by PAHPRA in 2013 and in the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019 .

Recommendation: To ensure progress is made toward the implementation of any IT enhancements needed to establish electronic public health situational awareness network capabilities mandated by PAHPRA, the Secretary of HHS should direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance, under the leadership of the HHS CIO.

Agency: Department of Health and Human Services
Status: Open
Priority recommendation

Comments: In HHS' Public Health and Social Services Emergency Fund's fiscal year 2021 budget justification-which includes the Office of the Assistant Secretary for Preparedness and Response-the agency stated it "concurred" with this recommendation. However, as of February 2020, GAO has not received any information demonstrating progress made to implement our recommendation. Until then, HHS may continue to lack the necessary progress needed in order to establish an electronic public health situational awareness network capability mandated by PAHPRA. To address this recommendation, HHS needs to direct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes related to the establishment of the network in accordance with Enterprise Performance Life Cycle Framework guidance.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and documentation describing the proposed alignment and interdependencies between information technology (IT) governance boards. According to VA officials, as of September 2019, the department had continued to further evolve its IT governance framework, reworked the committee structure and related working groups that oversee IT investments, and refined the process for prioritizing investments. A draft IT Governance Policy that describes an updated governance structure intended to implement IT solutions and an agile workforce was to be implemented by March 2020. The department has yet to report on the status and results of this implementation. We will continue to monitor VA's actions to ensure that the implementation is consistent with planned actions.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation, including developing a set of metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that IT investments are aligned to business needs and that expected outcomes are defined prior to making the investments. According to department officials, VA issues a Joint Business Plan that identifies annual milestones associated with initiatives agreed upon by both VHA and OIT. As of September 2020, we are reviewing additional documentation related to the underlying processes that support the compilation of the plan and any related metrics for the associated investments that are to support VHA's mission. We will continue to monitor progress in this area.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. The department described its intention to ensure that unmet IT needs for the pharmacy benefits management, scheduling, and community care program areas were addressed appropriately during fiscal year 2018 budget formulation. In March 2020, we met with officials from the Pharmacy Benefits Management program office, the Office of Veterans Access to Care, and the Community Care program to discuss the status of new service requests and the extent to which IT needs have been met since our report. While there was a slight decrease in the total number of new service requests that remained open for 5 years or more, officials from each office did not consistently report improvements in how IT needs were being addressed. For example, Pharmacy Benefits Management officials still waited for improvements that may come with the deployment of the new electronic health record system, but they continued to report that updates to industry standards should be addressed sooner and often IT needs did not make it through the prioritization process at the Veterans Health Administration to be considered by the Office of Information and Technology. Community Care officials reported a general improvement in the IT governance process and a more engaged relationship with the Office of Information Technology; however, the list of open new service requests still included long-term VistA-related enhancements, some of which had not yet been prioritized by the department. The Office of Veterans Care has not yet provided an updated list of open new service requests, but officials were satisfied with a new maintenance contract that allowed them to address a number of IT issues. We will continue to monitor the number of new service requests in each program area and the extent to which the IT needs are being met by the IT governance process.

Recommendation: To increase the likelihood that its IT investments develop reliable cost estimates, the Secretary of HUD should finalize, and ensure the implementation of, guidance that incorporates the best practices called for in the GAO Cost Estimating and Assessment Guide.

Agency: Department of Housing and Urban Development
Status: Open

Comments: In April 2017, HUD reported that the department concurred with the recommendation and noted that the Office of the Chief Information Officer (OCIO) intended to establish cost estimation guidance for IT projects within its IT Management Framework Guide, incorporating appropriate best practices from the GAO Cost Estimating and Assessment Guide. In March 2019, HUD reported that, with contractor assistance, the department had begun to develop a standard methodology for investment lifecycle cost estimation; however, the methodology had not been fully institutionalized across all investments, and a policy for cost estimation had not been developed. Lacking an updated IT Management Framework and cost estimation policy, OCIO took additional interim action in the most recent budget cycle to reduce cost estimation risk by having the Chief Technology Officer standardize the cost estimates for IT investments. HUD continues to take action intended to address this recommendation; however, OCIO has not yet finalized a cost estimation methodology or the associated policy for IT investments or established a timeframe for implementing cost estimation practices departmentwide.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) was responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department approved a cost baseline for one of the components of JIE, the Joint Regional Security Stacks (JRSS), and developed a cost estimate for another component, the Enterprise Collaboration and Productivity Services (ECAPS) program. The ECAPS cost estimate was substantially consistent with the practices described in the report. However, the JRSS cost estimate was not developed consistent with the best practices described in the report. Specifically, the department did not demonstrate that the cost estimate was well documented, comprehensive, accurate, and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps in the JRSS cost estimate; however, as of July 2019, DOD had not provided the documentation. The officials also stated that planning for JIE components other than JRSS and ECAPS had not begun; therefore, there were no other JIE component cost estimates. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network part of the Joint Regional Security Stacks (JRSS) component; however, the schedule was not consistent with the practices described in our report. In addition, In May 2019, officials in the Office of the DOD CIO stated that another JIE initiative, the Enterprise Collaboration and Productivity Services program, had an approved baseline schedule. However, as of July 2019, DOD had not provided the schedule.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS; however, the schedule was not consistent with the practices described in our report. In May 2019, officials in the Office of the DOD CIO said that the JRSS schedule had not been re-baselined and the department had not developed a schedule management plan. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation and has taken steps to implement it; however, more needs to be done. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department has developed an inventory of cybersecurity knowledge and skills of existing staff. Specifically, we reported in our June 2018 report Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions (GAO-18-466) that the department had developed an assessment that included the percentage of cybersecurity personnel holding certifications and the level of preparedness of personnel without existing credentials to take certification exams. In August 2018, the office of the DOD CIO stated that the department planned to identify work roles of critical need and establish gap assessment and mitigation strategies by April 2019. However, as of July 2019, the department had not provided an update on the status of its efforts to address the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, as of August 2018, it has not provided evidence that it has addressed it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In May 2019, the office of the DOD CIO stated that it had developed a schedule to complete JIE security assessments. However, as of July 2019, the office had not provided the schedule or demonstrated that it has a strategy for conducting JIE security assessments that includes the rest of the elements of our recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however it has not fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, in April 2017, the JRSS program office documented the methodology, ground rules and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. However, the cost estimate documentation was not sufficient to address our recommendation. Specifically, it did not demonstrate that the cost estimate was well documented, comprehensive, accurate and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps. However, as of July 2019, DOD had not provided the documentation.

Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

Agency: Office of Personnel Management
Status: Open
Priority recommendation

Comments: OPM partially agreed with this recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop requirements, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to complete its efforts to ensure that it provides and tracks training for individuals with significant security responsibilities. As of March 2020, OPM has not provided evidence that it has completed these actions.

Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

Agency: Department of Veterans Affairs
Status: Open

Comments: VA concurred with our recommendation. The agency has conducted security control assessments for the two systems, but these assessments did not show that technical controls were comprehensively tested. According to VA, the agency will complete the next security control assessment in October 2019 and complete the system assessment report in December 2019. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to VA informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation. As of March 2020, the agency has not provided evidence that it has implemented this recommendation. Subsequent to OMB informing us that it has completed implementation, we plan to verify the agency's actions.

Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of IRS' FY 2019 financial statements, IRS indicated that it had not yet implemented this recommendation. When the agency indicates that it has implemented this recommendation, we will review its actions.

Recommendation: To help ensure that FDA's IT strategic planning activities are successful in supporting the agency's mission, goals, and objectives, the Commissioner of FDA should require the CIO to implement the plan to ensure that expected outcomes of the agency's key IT initiatives are achieved.

Agency: Department of Health and Human Services: Food and Drug Administration
Status: Open

Comments: According to agency officials, FDA's CIO met with the FDA Commissioner in 2016 where the updated IT strategic plan was reviewed and approved. The Commissioner identified key IT initiatives to be implemented within FY2017 and incorporated them into the CIO's performance management appraisal program. According to officials, the Commissioner requires the CIO to implement a plan to ensure that expected outcomes of the agency's key IT initiatives are achieved. Although FDA provided us with an excel spreadsheet that identifies IT initiatives at the agency's weekly FDA project meeting, we requested additional documentation regarding the plan the CIO is required to implement to ensure that expected outcomes of the agency's key IT initiatives are fulfilled. We contacted FDA in September and December 2019 and January 2020 to obtain additional information on the actions taken to implement the recommendation, but have not received a response. We will update the recommendation when additional information is obtained.

Recommendation: The EPA Administrator should direct OGD to develop a timetable with milestones and identify and allocate resources for adopting electronic records management for all 10 regional offices.

Agency: Environmental Protection Agency
Status: Open

Comments: According to EPA officials, the Office of Grants and Debarment (OGD) established an agency-wide electronic grants record workgroup in fiscal year 2016. The workgroup identified the contents of the electronic grant file, technical options, and evaluation criteria. OGD completed its alternatives analysis for scope, general approach, and requirements in fiscal year 2017 and EPA expected this recommendation to be addressed by its new grants management system (GrantsSolutions). However, in January 2020, EPA officials told us that EPA had ceased its migration to GrantSolutions after determining the long-term costs were unsustainable and that the system lacked fundamental functionality necessary for core grant operations and to maintain appropriate internal controls. EPA is now migrating towards a modernized grants administration and management cloud solution. EPA expects this recommendation to be addressed when the new grants management system is fully implemented. EPA anticipates deployment of the new cloud solution in December 2020.

Recommendation: The EPA Administrator should direct OGD to implement plans for adopting an up-to-date and comprehensive IT system by 2017 that will provide accurate and timely data on agencywide compliance with grants management directives.

Agency: Environmental Protection Agency
Status: Open

Comments: Implementation efforts are ongoing. According to EPA officials, OGD is conducting a multi-modular project to upgrade the agency's grants management IT system. EPA expected this recommendation to be addressed by its new grants management system (GrantsSolutions), which had been targeted for deployment in March 2020. However, in January 2020, EPA officials told us that EPA had ceased its migration to GrantSolutions after determining the long-term costs were unsustainable and that the system lacked fundamental functionality necessary for core grant operations and to maintain appropriate internal controls. EPA is now migrating towards a modernized grants administration and management cloud solution. EPA expects this recommendation to be addressed when the new grants management system is fully implemented. EPA anticipates deployment of the new cloud solution in December 2020.

Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

Agency: Department of Defense
Status: Open

Comments: DOD concurred with our recommendation. In the Fiscal Year 2019 Joint Report issued in November 2018, DOD had taken some steps to address this recommendation. For example, DOD provided more information on the methodologies used to develop budget estimates. However, DOD did not provide complete documentation of the methodologies used to determine budget estimates in the Joint Report. Specifically, DOD provided additional methodological information not included in the Joint Report to GAO in order to fully account for the estimates presented in the FY 2019 Joint Report. Both the Navy and the Air Force stated they would provide the additional methodological information in the FY 2020 Joint Report. In addition, we again identified some instances in which the Air Force's underlying budget information did not match its estimates in the Joint Report. Air Force officials explained that these discrepancies were due to an accounting error in the internal funding system and that the errors will be rectified in the FY 2020 Joint Report. We will continue to monitor DOD's response to this recommendation as we review future Joint reports.

Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the Department of Defense Chief Information Officer (DOD CIO), and the Secretary of Energy direct the Administrator of the National Nuclear Security Administration (NNSA) to provide more thorough documentation in the joint report on the methodologies used to develop the budget estimates, including information that may be available in related planning documents, and ensure the accuracy and completeness of the information included.

Agency: Department of Energy
Status: Open

Comments: The Department of Energy (DOE) concurred with our recommendation and has taken steps to address it. In both the fiscal year 2018 Joint Report and the fiscal year 2019 Joint Report, DOE included significantly more information on the methodologies used to develop its budget estimates. However, in the fiscal year 2019 Joint Report, DOE did not provide complete information on budget estimates over a 10-year period. Instead, it provided 5 years of budget estimates. We will re-evaluate DOE's implementation of this recommendation as we review future joint reports.

Recommendation: To provide decision makers with better insight and additional context to identify any significant changes to the estimates in the joint report from the prior year and understand the reasons for such changes, and to improve the completeness and transparency of the budget estimates in the report, we recommend that, for future joint reports, the Secretary of Defense should direct the Secretary of the Air Force, the Secretary of the Navy, and the DOD CIO, and the Secretary of Energy direct the Administrator of NNSA to provide comparative information on changes in the budget estimates from the prior year and explain the reasons for those changes.

Agency: Department of Energy
Status: Open

Comments: DOE concurred with our recommendation. However, as of the issuance of the fiscal year 2019 Joint Report, DOE had not taken steps to address this recommendation. The fiscal year 2019 Joint Report did not provide comparative information on changes in NNSA program costs relative to costs in prior joint reports. We will re-evaluate DOE's implementation of this recommendation as we review future joint reports.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, in August 2017 the Project Management Office finalized guidance for developing cost estimates that generally includes the key practices discussed in our report. However, none of the cost estimates for three key investments fully met the practices associated with a comprehensive estimate. In October 2019, the Library provided evidence of its Monte-Carlo risk assessment process. We are currently assessing whether this process is consistent with the practices found in our Cost Estimating and Assessment Guide. We will continue to evaluate the Library's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, in August 2017 the Project Management Offices finalized guidance for developing schedules that generally includes the key practices discussed in our report. However, none of the schedules for three key investments fully met the practices associated with a well-constructed schedule. In October 2019, the Library provided the schedules that it uses to manage select projects. We are currently reviewing this scheduling documentation to determine the extent to which the Library is implementing its scheduling guidance.

Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: During our audit of IRS's FY 2019 financial statements, , the agency submitted this recommendation for closure, but our testing determined it should remain open. Subsequently, IRS updated its anticipated closure date for the recommendation to July 2020. As part of our FY 2020 audit, we will continue to monitor IRS's progress in ensuring that its control testing methodology and results fully meet the intent of the control objectives being tested.

Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: During the audit of IRS's FY 2019 financial statements, the agency submitted this recommendation for closure, but our testing determined that it should remain open. While IRS continued to make positive steps to address our recommendation, the agency's implementation of corrective actions did not fully address it. As part of our FY 2020 audit, we will continue to monitor IRS's progress in strengthening its remedial action verification process and ensuring its corrective actions are fully implemented.

Recommendation: To help improve DOD's milestone decision process, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics in collaboration with the military service acquisition executives, program executive officers, and program managers to, as a longer-term effort, select several current or new major defense acquisition programs to pilot, on a broader scale, different approaches for streamlining the entire milestone decision process, with the results evaluated and reported for potential wider use. The pilot programs should consider the following: (1) Defining the appropriate information needed to support milestone decisions while still ensuring program accountability and oversight. The information should be based on the business case principles needed for well-informed milestone decisions including well defined requirements, reasonable life-cycle cost estimates, and a knowledge-based acquisition plan. (2) Developing an efficient process for providing this information to the milestone decision authority by (a) minimizing any reviews between the program office and the different functional staff offices within each chain of command level and (b) establishing frequent, regular interaction between the program office and milestone decision makers, in lieu of documentation reviews, to help expedite the process.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation, and as of February 2020 the Services each identified one pilot program for implementation of streamlined acquisition processes. The Army chose the Improved Turbine Engine Program; the Navy chose the MQ-25 Stingray Unmanned Carrier Aviation Program; and the Air Force chose the MH-139 Grey Wolf Program. In July 2020, DOD indicated that specific streamlining initiatives for these programs will be developed in the near future after Executive Review at the Service level and after the Office of the Under Secretary of Defense (Acquisition and Sustainment) has been informed.

Recommendation: To improve IRS's enforcement and compliance efforts, decrease the administrative and financial burden of maintaining both electronic and paper-based form processing systems, and reduce plan reporting costs, Congress should consider providing the Department of the Treasury with the authority to require that the Form 5500 series be filed electronically.

Agency: Congress
Status: Open

Comments: As of 05/01/2019, Congress has taken no action.

Recommendation: To improve the usefulness, reliability, and comparability of Form 5500 data for all stakeholders while limiting the burden on the filing community, the Secretaries of DOL and Treasury, and the Director of PBGC should consider implementing the findings from our panel when modifying plan investment and service provider fee information, including: (1) revising Schedule H plan asset categories to better match current investment vehicles and provide more transparency into plan investments; (2) revising the Schedule of Assets attachments to create a standard searchable format; (3) developing a central repository for EIN and PN numbers for filers and service providers to improve the comparability of form data across filings; (4) clarifying Schedule C instructions for direct, eligible indirect, and reportable indirect compensation so plan fees are reported more consistently and, as we recommended in the past, better align with the 408(b)(2) fee disclosures; and (5) simplifying and clarify Schedule C service provider codes to increase reporting consistency.

Agency: Department of Labor
Status: Open

Comments: As August 2018, DOL continues to accept meetings with interested stakeholders on issues related to its 5500 Modernization Project. However, EBSA does not at this time have an expected next action date for this project. The decision was made in the development and clearance of its Spring 2018 regulatory agenda to classify this project as a long-term action.

Recommendation: To improve the usefulness, reliability, and comparability of Form 5500 data for all stakeholders while limiting the burden on the filing community, the Secretaries of DOL and Treasury, and the Director of PBGC should consider implementing the findings from our panel when modifying plan investment and service provider fee information, including: (1) revising Schedule H plan asset categories to better match current investment vehicles and provide more transparency into plan investments; (2) revising the Schedule of Assets attachments to create a standard searchable format; (3) developing a central repository for EIN and PN numbers for filers and service providers to improve the comparability of form data across filings; (4) clarifying Schedule C instructions for direct, eligible indirect, and reportable indirect compensation so plan fees are reported more consistently and, as we recommended in the past, better align with the 408(b)(2) fee disclosures; and (5) simplifying and clarify Schedule C service provider codes to increase reporting consistency.

Agency: Department of the Treasury
Status: Open

Comments: In 2016, DOL in coordination with IRS and PBGC has implemented cross-year edit checks into EFAST in an effort to improve the consistency in key identifying information, such as the EIN, Plan Number and Plan Name. These checks aim to verify identifying information submitted on the Form 5500 and to notify the filer and government agencies of inconsistencies, which affords filers the ability to review and modify crucial identifying information prior to submission. Additionally, if the filer chooses to submit data that may contain inconsistent information, the edit test indicators provide government users with the ability to more readily detect filings containing potential errors in the identifying information for further review and correction. IRS has also collaborated with DOL and PBGC in issuing proposed revisions to the Form 5500 Series in a Notice of Proposed Forms Revisions. The deadline for public comment ended December 5, 2016. The proposed revisions in the Notice reflect efforts of DOL, IRS, and PBGC to improve the Form 5500 reporting for filers, the public, and the agencies by among other things, (1) modernizing financial information filed by regarding plans; (2) updating fee and expense information on plan service providers with a focus on harmonizing annual reporting requirement with DOL's 408(b)(2); financial disclosure requirements; (3) enhancing the ability to mine data files on annual returns/reports; and (4) improving compliance with ERISA and the Code through selected new questions regarding plan operation, service provider relationships, and financial management of plans. Specifically, in the Notice the agencies propose that Schedule H report assets held and assets disposed of during the plan year to provide more transparency and a more complete report of plan's annual investments and that that the Schedule of Assets be revised to require reporting of assets held through direct filing entities. Additionally, the agencies are proposing revisions to the Schedule H, Schedule of Assets that require filers to complete standardized Schedules in a format enabling data to captured electronically. This requirement would enable importation of information from the Schedules of Assets into structured databases that DOL would make available to the public from each year's Form 5500 Series filing. The agencies are also proposing to add clarifying definitions and instructions to improve the consistency of Form 5000 responses. This includes clarification of conventions to identify filers by name and identifying numbers to help mitigate confusion about legal identities with which plans transact and improve comparability of form data across filings. In addition, the agencies also propose revisions to Schedule C to require reporting of indirect compensation for service provider subject to 408(b)(2) requirements and for all compensation that is required to be disclosed. Further, the Schedule C instructions would be clarified to track more closely with the language of the 408(b)(2) regulations. The agencies are also proposing to limit the codes for Schedule C and requiring the filer to more simply indicate all types of services for each provider identified. Additionally, they propose a requirement to indicate all the types of fees/compensation separately when reporting sources of compensation from parties other than plan and plan sponsor. The agencies are reviewing the public comments and expect the process to continue through 2017. While the Agencies have made considerable efforts to address our recommendation in the proposed revisions to the Form 5500, they have not made any decisions on whether to make changes to the forms or DOL regulations, and have not decided on a timeline for implementation of any changes to the form or DOL regulations that the Agencies ultimately may decide to adopt. We will close this recommendation once the revision is final.

Recommendation: To improve the usefulness, reliability, and comparability of Form 5500 data for all stakeholders while limiting the burden on the filing community, the Secretaries of DOL and Treasury, and the Director of PBGC should consider implementing the findings from our panel when modifying plan investment and service provider fee information, including: (1) revising Schedule H plan asset categories to better match current investment vehicles and provide more transparency into plan investments; (2) revising the Schedule of Assets attachments to create a standard searchable format; (3) developing a central repository for EIN and PN numbers for filers and service providers to improve the comparability of form data across filings; (4) clarifying Schedule C instructions for direct, eligible indirect, and reportable indirect compensation so plan fees are reported more consistently and, as we recommended in the past, better align with the 408(b)(2) fee disclosures; and (5) simplifying and clarify Schedule C service provider codes to increase reporting consistency.

Agency: Pension Benefit Guaranty Corporation
Status: Open

Comments: In 2016, DOL in coordination with IRS and PBGC has implemented cross-year edit checks into EFAST in an effort to improve the consistency in key identifying information, such as the EIN, Plan Number and Plan Name. These checks aim to verify identifying information submitted on the Form 5500 and to notify the filer and government agencies of inconsistencies, which affords filers the ability to review and modify crucial identifying information prior to submission. Additionally, if the filer chooses to submit data that may contain inconsistent information, the edit test indicators provide government users with the ability to more readily detect filings containing potential errors in the identifying information for further review and correction. PBDC has also collaborated with DOL and IRS in issuing proposed revisions to the Form 5500 Series in a Notice of Proposed Forms Revisions. The deadline for public comment ended December 5, 2016. The proposed revisions in the Notice reflect efforts of DOL, IRS, and PBGC to improve the Form 5500 reporting for filers, the public, and the agencies by among other things, (1) modernizing financial information filed by regarding plans; (2) updating fee and expense information on plan service providers with a focus on harmonizing annual reporting requirement with DOL's 408(b)(2); financial disclosure requirements; (3) enhancing the ability to mine data files on annual returns/reports; and (4) improving compliance with ERISA and the Code through selected new questions regarding plan operation, service provider relationships, and financial management of plans. Specifically, in the Notice the agencies propose that Schedule H report assets held and assets disposed of during the plan year to provide more transparency and a more complete report of plan's annual investments and that that the Schedule of Assets be revised to require reporting of assets held through direct filing entities. Additionally, the agencies are proposing revisions to the Schedule H, Schedule of Assets that require filers to complete standardized Schedules in a format enabling data to captured electronically. This requirement would enable importation of information from the Schedules of Assets into structured databases that DOL would make available to the public from each year's Form 5500 Series filing. The agencies are also proposing to add clarifying definitions and instructions to improve the consistency of Form 5000 responses. This includes clarification of conventions to identify filers by name and identifying numbers to help mitigate confusion about legal identities with which plans transact and improve comparability of form data across filings. In addition, the agencies also propose revisions to Schedule C to require reporting of indirect compensation for service provider subject to 408(b)(2) requirements and for all compensation that is required to be disclosed. Further, the Schedule C instructions would be clarified to track more closely with the language of the 408(b)(2) regulations. The agencies are also proposing to limit the codes for Schedule C and requiring the filer to more simply indicate all types of services for each provider identified. Additionally, they propose a requirement to indicate all the types of fees/compensation separately when reporting sources of compensation from parties other than plan and plan sponsor. The agencies are reviewing the public comments and expect the process to continue through 2017. While the Agencies have made considerable efforts to address our recommendation in the proposed revisions to the Form 5500, they have not made any decisions on whether to make changes to the forms or DOL regulations, and have not decided on a timeline for implementation of any changes to the form or DOL regulations that the Agencies ultimately may decide to adopt. We will close this recommendation once any revision are made final.

Recommendation: To ensure effective management and modernization of HUD's IT environment, the Secretary of Housing and Urban Development should direct the department's Chief Information Officer to define the scope, implementation strategy, and schedule of its overall modernization approach, with related goals and measures for effectively overseeing the effort.

Agency: Department of Housing and Urban Development
Status: Open
Priority recommendation

Comments: In July 2018, the Office of the Chief Information Officer (OCIO) reported that the goal of the Chief Technology Officer's technical assessment of HUD's IT environment was to identify gaps and develop an implementation strategy and approach to establish a modernization roadmap. As of March 2020, OCIO reported that it had completed the technical assessment to identify gaps in IT. The department has also taken action to define an overall modernization approach, including the scope, implementation strategy, and schedule for modernizing its IT environment and systems. However, as of March 2020, HUD had not yet established measures for overseeing its modernization efforts.

Recommendation: In order to improve NMB's planning and make the most effective use of its limited resources, the Chairman of the National Mediation Board should develop and fully implement key components of an information security program in accordance with the Federal Information Security Management Act of 2002.

Agency: National Mediation Board
Status: Open

Comments: In February 2020, we determined that NMB had taken some steps to further implement key information security practices, but had not fully implemented this recommendation. We reported in GAO-20-236 that NMB continued to only partially follow the eight key information security practices in accordance with the Federal Information Security Management Act (FISMA). NMB must take other steps, such as providing risk assessment documentation of its enterprise network for fiscal year 2019. NMB officials stated that the agency plans to address several of these practices by the end of fiscal year 2020. They further noted that they hired a Chief Information Officer and planned to hire additional staff and employ contractors to aid in these efforts.

Recommendation: In order to improve NMB's planning and make the most effective use of its limited resources, the Chairman of the National Mediation Board should establish a privacy program that includes conducting privacy impact assessments and issuing system of record notices for systems that contain personally identifiable information.

Agency: National Mediation Board
Status: Open

Comments: In February 2020, we reported in GAO-20-236 that NMB had taken some steps to implement information privacy practices, such as designating a privacy officer. However, NMB must take additional steps, such as specifying whether a system of records notice would be developed, as required by the Office of Management and Budget.

Recommendation: The Commissioner of Internal Revenue should direct the appropriate officials to define and implement a process, including defined criteria, for reselecting ongoing projects.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In March, 2017, IRS issued its Portfolio Investment Plan Process Description Manual for selecting and prioritizing new and ongoing operations support activities. The manual includes criteria for prioritizing selections; and provides for comparing assets against one another to create a prioritized portfolio; and ensuring executives' funding decisions are based upon the process for selecting and prioritizing activities. In March 2018, IRS updated the manual and also issued related detailed procedures. In May 2019, IRS stated that its Information Technology/Strategy and Planning group had developed a prioritization process and associated scoring criteria to help facilitate decision making for business systems modernization programs, projects, and capabilities. The agency noted that improvements were being made to the process and full implementation was anticipated for June 2019.In April 2020, IRS informed us that it had moved its target for fully implementing the recommendation to November 2020. We will continue to monitor IRS's efforts to implement the recommendation.