Recommendation: The Administrator of GSA should direct the Office of Government-wide Policy (1) to incorporate into its guidance approaches or practices that agencies could use to assess utilization of and the ongoing need for property—approaches such as recommendations for periodic justifications, data analytics, and utilization reviews—and (2) to develop a plan and timelines for communicating the guidance to agencies government-wide. (Recommendation 1)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of April 2020, GSA indicated in its 180-day letter that it had published on its website draft guidance in response to the Federal Personal Property Management Act of 2018. In addition, GSA identified several actions it planned to take in the coming months, such as publishing a comprehensive plan and timelines to address GAO's recommendation, publishing a request for information in the Federal Register to seek comments and suggestions, and engaging additional subject matter experts and related associations and standards group to improve upon the draft guidance. GAO will continue to monitor GSA's efforts to implement this recommendation.

Recommendation: The Secretary of Agriculture should direct the Office of Property and Fleet Management to consistently monitor property provided to non-federal recipients within 1 year of receipt, and to ensure property is being used for its intended purpose 1 year after initial monitoring. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: USDA concurred with this recommendation. As of April 2020, USDA's 180-day letter has not been received.

Recommendation: The Secretary of Energy should direct the Office of Asset Management to resume monitoring the Economic Development Property program, including property provided to non-federal recipients. (Recommendation 2)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: As of March 2020, DOE indicated in its 180-day letter that the agency concurred with the recommendation, and will update their annual personal property reporting requirements. DOE anticipates having this recommendation implemented by September 30, 2020. GAO will continue to monitor DOE's efforts to implement this recommendation.

Recommendation: The Secretary of Labor should direct the Employment and Training Administration to take steps, such as reconciling data between Job Corps centers and the Job Corps National Office, to ensure that the entities responsible for overseeing and monitoring the Job Corps Program have accurate data on the excess property provided to non-federal recipients. (Recommendation 3)

Agency: Department of Labor: Office of the Secretary
Status: Open

Comments: As of February 2020, DOL indicated in its 180-day letter that they concurred with the recommendation, and have taken steps to improve the monitoring and oversight of Job Corps Property. This includes modifying the GSAXcess approval process by elevating review of all GSAXcess requests made by Job Corps Centers to DOL's Employment Training Administration's (ETA) national office. ETA is also working with DOL's Office of the Assistant Secretary for Administration and Management (OASAM) to develop a process for GSAXcess review that includes identifying approval levels for each category of property, identifying categories of property requiring additional review and approvals, and coordinating and streamlining access request procedures. These changes will be reflected in DOL's Office of Job Corps standard operating procedures (SOP), which is expected to be issued at the end of fiscal year 2020. DOL expects to provide training to Job Corps staff and Job Corps Centers in support of the SOP that will be provided annually. GAO will continue to monitor DOL's efforts to implement this recommendation.

Recommendation: The Secretary of Agriculture should direct the Office of Property and Fleet Management to establish clear processes to oversee property programs, including excess property provided to non-federal recipients across the agency. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: USDA concurred with this recommendation. As of April 2020, USDA's 180-day letter has not been received.

Recommendation: The Secretary of Energy should direct the Office of Asset Management to update its regulations and guidance on programs that provide property to non-federal recipients to ensure regulations are current and establish a process to regularly communicate information about non-federal recipient programs to DOE program offices. (Recommendation 5)

Agency: Department of Energy: Office of the Secretary
Status: Open

Comments: As of March 2020, DOE indicated in its 180-day letter that the agency concurred with the recommendation, and will update internal policies, and provide personal property information on DOE's internal informational website known as Powerpedia. DOE anticipates implementing this recommendation by September 30, 2020. GAO will continue to monitor DOE's efforts to implement this recommendation.

Recommendation: The GSA Administrator should direct the Office of Government-wide Policy to revise the Personal Property Reporting Tool by updating the authorities agencies can select. (Recommendation 6)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of February 2020, GSA indicated in its 180-day letter that it concurred with the recommendation, and has taken steps to revise the Personal Property Reporting Tool (tool). GSA has added relevant authorities to the tool as recently as July 2019, and will continue to contact agencies to ensure relevant authorities are included in the tool. GSA is also evaluating technical updates to the tool to ensure that reporting agencies select an appropriate authority when reporting personal property. GSA plans to complete these actions by July 31, 2020, and inform agencies of these changes in their guidance by the end of fiscal year 2020. GAO will continue to monitor GSA's efforts to implement the recommendation.

Recommendation: The GSA Administrator should direct the Office of Government-wide Policy to document in what circumstances excess property loaned to non-federal recipients should be reported and what property GSA is reporting on behalf of agencies, for example, by updating GSA guidance. (Recommendation 7)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: As of February 2020, GSA indicated in its 180-day letter that it concurred with the recommendation. GSA will better communicate with agencies to better understand the confusion of reporting on loaned excess property, as reporting requirements are in statute, regulations, and guidance. GSA also plans to review and update by July 31, 2020, relevant regulations and guidance in this area including Federal Management Regulation Bulletin B-27, "Annual Executive Agency Reports on Excess and Exchange/Sale Personal Property." GAO will continue to monitor GSA's efforts to implement this recommendation.

Recommendation: Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment. Issues that should be considered include: (1) which agency or agencies should oversee Internet privacy; (2) what authorities an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority; and (3) how to balance consumers' need for Internet privacy with industry's ability to provide services and innovate.

Agency: Congress
Status: Open

Comments: When we confirm what actions Congress has taken in response to this recommendation, we will provide updated information

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) was responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department approved a cost baseline for one of the components of JIE, the Joint Regional Security Stacks (JRSS), and developed a cost estimate for another component, the Enterprise Collaboration and Productivity Services (ECAPS) program. The ECAPS cost estimate was substantially consistent with the practices described in the report. However, the JRSS cost estimate was not developed consistent with the best practices described in the report. Specifically, the department did not demonstrate that the cost estimate was well documented, comprehensive, accurate, and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps in the JRSS cost estimate; however, as of July 2019, DOD had not provided the documentation. The officials also stated that planning for JIE components other than JRSS and ECAPS had not begun; therefore, there were no other JIE component cost estimates. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network part of the Joint Regional Security Stacks (JRSS) component; however, the schedule was not consistent with the practices described in our report. In addition, In May 2019, officials in the Office of the DOD CIO stated that another JIE initiative, the Enterprise Collaboration and Productivity Services program, had an approved baseline schedule. However, as of July 2019, DOD had not provided the schedule.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS; however, the schedule was not consistent with the practices described in our report. In May 2019, officials in the Office of the DOD CIO said that the JRSS schedule had not been re-baselined and the department had not developed a schedule management plan. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation and has taken steps to implement it; however, more needs to be done. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department has developed an inventory of cybersecurity knowledge and skills of existing staff. Specifically, we reported in our June 2018 report Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions (GAO-18-466) that the department had developed an assessment that included the percentage of cybersecurity personnel holding certifications and the level of preparedness of personnel without existing credentials to take certification exams. In August 2018, the office of the DOD CIO stated that the department planned to identify work roles of critical need and establish gap assessment and mitigation strategies by April 2019. However, as of July 2019, the department had not provided an update on the status of its efforts to address the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, as of August 2018, it has not provided evidence that it has addressed it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In May 2019, the office of the DOD CIO stated that it had developed a schedule to complete JIE security assessments. However, as of July 2019, the office had not provided the schedule or demonstrated that it has a strategy for conducting JIE security assessments that includes the rest of the elements of our recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however it has not fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, in April 2017, the JRSS program office documented the methodology, ground rules and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. However, the cost estimate documentation was not sufficient to address our recommendation. Specifically, it did not demonstrate that the cost estimate was well documented, comprehensive, accurate and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps. However, as of July 2019, DOD had not provided the documentation.