Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)

Agency: Department of Housing and Urban Development
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should ensure that the Biometric Entry-Exit Program's privacy notices contain complete and current information, including all of the locations where facial recognition is used and how travelers can request to opt out as appropriate. (Recommendation 1)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should ensure that the Biometric Entry-Exit Program's privacy signage is consistently available at all locations where CBP is using facial recognition. (Recommendation 2)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should direct the Biometric Entry-Exit Program to develop and implement a plan to conduct privacy audits of its commercial partners', contractors', and vendors' use of personally identifiable information. (Recommendation 3)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should develop and implement a plan to ensure that the biometric air exit capability meets its established photo capture requirement. (Recommendation 4)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of CBP should develop a process by which Biometric Entry-Exit program officials are alerted when the performance of air exit facial recognition falls below established thresholds. (Recommendation 5)

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should ensure that CMS, FBI, IRS, and SSA are collaborating on their cybersecurity requirements pertaining to state agencies to the greatest extent possible and direct further coordination where needed. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should take steps to ensure that CMS, FBI, IRS, and SSA coordinate, where feasible, on assessments of state agencies' cybersecurity, which may include steps such as leveraging other agencies' security assessments or conducting assessments jointly. (Recommendation 2)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should, in collaboration with OMB, solicit input from FBI, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document CMS's rationale for maintaining any requirements variances.(Recommendation 3)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Administrator of CMS should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 4)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should, in collaboration with OMB, solicit input from CMS, IRS, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 5)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 6)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The FBI Director should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 7)

Agency: Department of Justice: Federal Bureau of Investigation
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The IRS Commissioner should, in collaboration with OMB, solicit input from CMS, FBI, SSA, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The IRS Commissioner should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should, in collaboration with OMB, solicit input from CMS, FBI, IRS, and state agency stakeholders on revisions to its security policy to ensure that cybersecurity requirements for state agencies are consistent with other federal agencies and NIST guidance to the greatest extent possible and document the SSA's rationale for maintaining any requirements variances. (Recommendation 10)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should fully develop policies for coordinating with state agencies on the use of prior findings from relevant cybersecurity assessments conducted by other organizations. (Recommendation 11)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of SSA should revise its assessment policies to maximize coordination with other federal agencies to the greatest extent practicable. (Recommendation 12)

Agency: Social Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Chairman of the NMB should document NMB's authorizations for its use of cloud services approved through FedRAMP and submit the authorizations to the FedRAMP Program Management Office. (Recommendation 1)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and said it would take action to address it, completing these actions by the end of fiscal year 2020.

Recommendation: The Chairman of the NMB should update NMB's security policies and procedures to include FedRAMP's authorization requirements. (Recommendation 2)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and said it would take action to address it, completing these actions by the end of fiscal year 2020.

Recommendation: The Chairman of the NMB should develop a written plan to document NMB's process for reviewing and monitoring the agency's annual appropriation to ensure that funds are used effectively. (Recommendation 3)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. Agency officials said they would take action to address it, but did not provide a time frame for completion.

Recommendation: The Chairman of the NMB should establish a process for the Board to effectively monitor and evaluate NMB's adherence to audit protocols and implementation of actions to address audit recommendations. (Recommendation 4)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. Agency officials said they would take action to address it, but did not provide a time frame for completion.

Recommendation: The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was in the process of revising its IT systems project planning to ensure the development and implementation of policies and procedure incorporating key cybersecurity activities. The agency also stated that it plans to hire an IT Security Project Manager in order to acquire the necessary cybersecurity expertise needed to implement this recommendation and to ensure that sufficient time and resources can be dedicated to the development and implementation of these policies and procedures. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing oversight procedures for each externally-operated system. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it had expanded the office's IT Director's role to formally include the functions of an IT Risk Executive and was in the process of establishing the roles and responsibilities. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing a cybersecurity risk management strategy. We will continue to monitor OCWR's progress in addressing this recommendation.

Recommendation: The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5)

Agency: Office of Congressional Workplace Rights
Status: Open

Comments: In January 2020, OCWR noted that, once the position of IT Security Project Manager is filled and the IT Risk Executive functions are formalized, the agency is planning to commit to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. We will continue to monitor OCWR's progress in addressing this recommendation

Recommendation: The Administrator of TSA should document which rule review process TSA I&A uses (exigent or standard) for each new rule or rule change; (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and agreed to document which rule review process TSA I&A uses (exigent or standard) for each new rule or rule change. In March 2020, TSA updated its SOP to require that the selected rule review process be documented for each new rule and rule change. TSA's policy change is a positive first step, but to fully address this recommendation, TSA will need to demonstrate that the selected rule review process is now being documented.

Recommendation: The Administrator of TSA should explore additional data sources measuring the effectiveness of Silent Partner and Quiet Skies rules. (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and, in May 2020, DHS officials stated that they are reviewing data sources and assessing potential ways to assess the effectiveness of Quiet Skies and Silent Partner screening rules. DHS officials stated that they plan to fully address this recommendation by December 2020.

Recommendation: The Director of the Bureau of Land Management (BLM) should create and implement a policy for standard posting requirements regarding comments and their identity information, particularly for duplicate comments, and should clearly communicate this policy to the public on the BLM website. (Recommendation 1)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: BLM concurred with the recommendation. In December 2019, BLM indicated that it will develop and issue policy for standard posting requirements regarding public comments and associated identity information as well as duplicative comments which will be available on BLM's website. BLM officials estimate that this will be completed in March 2020. Until these items are completed, our recommendation to BLM remains open.

Recommendation: The Administrator of Centers for Medicare & Medicaid Services (CMS) should create and implement a policy for standard posting requirements regarding comments and their identity information, particularly for duplicate comments, and should clearly communicate this policy to the public on the CMS website. (Recommendation 2)

Agency: Department of Health and Human Services: Centers for Medicare and Medicaid Services
Status: Open

Comments: In January 2020, the Department of Health and Human Services stated that CMS already has policies for standard posting requirements, and noted that they would update their policy and communicate it on the CMS website. However, while CMS provided us with an excerpt of the updated language, as written, it does not include information about how the agency posts duplicate comments. Further, CMS did not provide us with this policy, and our review of the website does not indicate any changes have been made. HHS stated it would provide additional follow up actions by 7/23/2020. Given that we found significant variation in the way that CMS posts comments, even within a single docket, we continue to believe that it is important for CMS to develop and implement a standard policy for posting duplicate comments and their identity information, in addition to communicating this policy to the public on the CMS website.

Recommendation: The Director of the Consumer Financial Protection Bureau (CFPB) should finalize its draft policy for posting comments and their identity information, particularly for duplicate comments, and clearly communicate it to the public on the CFPB website. (Recommendation 3)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: CFPB concurred with the recommendation. In December 2019, CFPB indicated that it will develop new language for consumerfinance.gov to better explain the Bureau's "post all" policy, and any exceptions to it. Additionally, CFPB is finalizing internal procedures for posting comments. Until these items are completed, our recommendation to CFPB remains open.

Recommendation: The Assistant Secretary of Labor for the Employee Benefits Security Administration (EBSA) should
1. create and implement a policy for standard posting requirements regarding comments and their identity information, particularly for duplicate comments;
2. clearly communicate this policy to the public on the EBSA website; and
3. evaluate the duplicative practice of replicating rulemaking dockets on the EBSA website, to either discontinue the practice or include a reference to Regulations.gov and explanation of how the pages relate to one another. (Recommendation 4)

Agency: Department of Labor: Employee Benefits Security Administration
Status: Open

Comments: EBSA concurred with the recommendation. In September 2019, EBSA stated that it will develop a written policy regarding posting of comments, including that of duplicate comments. This information will be available on their website. Additionally, EBSA will post a reference to Regulations.gov as part of each Notice of Proposed Rulemaking (NPRM) webpage that includes public comments together with an explanation of its relation to Regulations.gov as a means to access public comments on EBSA's rulemaking initiatives. EBSA officials did not provide a date by which these actions will be implemented. Additionally, while EBSA noted that internal and external users prefer the agency's current practice of replicating rulemaking dockets, the agency did not provide evidence that a formal evaluation had been conducted, and did not identify plans to do so. As a result, at this time our recommendation to EBSA remains open.

Recommendation: The Administrator of the Environmental Protection Agency (EPA) should finalize its draft policy for posting comments and their identity information, particularly for duplicate comments, and clearly communicate it to the public on the EPA website. (Recommendation 5)

Agency: Environmental Protection Agency
Status: Open

Comments: EPA concurred with the recommendation. In January 2020, EPA indicated that it will finalize its Docket Center's Document Processing Standard Operating Procedure as well as its website. This update will include information detailing when all duplicate comments are posted to Regulations.gov and when just one representative sample of a duplicate comment is posted. EPA officials estimate that this will be completed in February 2020. Until these items are completed, our recommendation to EPA remains open.

Recommendation: The Director of the Fish and Wildlife Service (FWS) should create and implement a policy for standard posting requirements regarding comments and their identity information, particularly for duplicate comments, and should clearly communicate this policy to the public on the FWS website. (Recommendation 6)

Agency: Department of the Interior: United States Fish and Wildlife Service
Status: Open

Comments: FWS concurred with the recommendation. In December 2019, FWS stated that it will update its service manual to include all standard posting requirements regarding public comments and their identity information. Additionally, FWS will include a statement on the FWS' website to inform the public about posting of public comments and identity information to regulations.gov. FWS officials estimate that this will be completed in June 2020. Until these items are completed, our recommendation to FWS remains open.

Recommendation: The Administrator of the Wage and Hour Division (WHD) should clearly communicate its policy for posting comments and their identity information, particularly for duplicate comments, to the public on the WHD website. (Recommendation 8)

Agency: Department of Labor: Wage and Hour Division
Status: Open

Comments: WHD concurred with the recommendation. In August 2019, WHD indicated that it will add text to each webpage for any rulemaking that invites public comments which states that any personal information included in the comments (including duplicate) will be posted to Regulations.gov without change. However, the text provided by officials does not explain WHD's policy of posting duplicate comments as a group under a single document ID, and therefore does not clearly communicate the agency's posting practices to the public. As a result, at this time our recommendation to WHD remains open.

Recommendation: Congress should consider providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: No action has been taken on this matter as of December 2019.

Recommendation: The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said that it agreed with the intent of the recommendation, but did not agree to implement it, citing the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file. IRS reported that to effectively establish data safeguarding policies and implement strategies enforcing compliance with those policies, a centralized leadership structure requires the statutory authority that clearly communicates the authority of the IRS to do so. Without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources, according to IRS. We disagree that convening a governance structure or other centralized form of leadership would require additional statutory authority or be inefficient, ineffective, and costly. As discussed in the report, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination, such as updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports.

Recommendation: The Commissioner of Internal Revenue should modify the Authorized e-file Provider program's requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with this recommendation and would update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include security elements that are consistent with the FTC Safeguards Rule. IRS plans to update the publication by November 2020.

Recommendation: The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, IRS does not plan to implement it without additional statutory authority to require Authorized e-file Provider Program participants to comply with the NIST Special Publication 800-53. We continue to believe that under IRS's existing authority, IRS has already established some information security requirements for a portion of tax software providers, those that are online providers. IRS has the opportunity to further establish standards for all tax software providers by incorporating the subset of NIST controls into its Authorized e-file Provider program, which would capitalize on the work it has completed with the Security Summit members.

Recommendation: The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it will update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, with a formal memorandum to all internal stakeholders during the annual review process. IRS plans to take this action by November 2020.

Recommendation: The Commissioner of Internal Revenue should update IRS's monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, it does not plan to implement it. IRS reported it does not have the statutory authority to establish policy on information security and cybersecurity issues, nor to enforce compliance if noncompliance is observed. Additionally, IRS said that the specialized technical skills required to monitor compliance with information and cybersecurity standards, should statutory authority be granted, would require additional funding to meet those monitoring needs. However, as we reported, IRS already monitors physical aspects of information security, which goes beyond existing Authorized e-file Provider program requirements. Since most individuals now file tax returns electronically, having checks for physical security without comparable checks for cybersecurity does not address current risks, as cyber criminals and fraudsters are increasingly attacking third-party providers, as IRS has noted. We believe that incorporating some basic cybersecurity monitoring into the visits would provide IRS the opportunity to help inform the most vulnerable third-party providers of additional guidance and resources.

Recommendation: The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS's Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with the intent of this recommendation; however it does not plan to implement it. IRS stated that absent statutory authority and funding, an assessment of the different monitoring approaches is moot. We disagree with this conclusion. As discussed in the report, IRS does not systematically monitor the existing security requirements for online providers, nor does it conduct information security or cybersecurity monitoring for all types of Authorized e-file Providers. We believe that IRS could conduct a risk assessment of its current monitoring program within existing statutory authority and make necessary changes that would provide better assurance that all types of providers are receiving some level of oversight and that IRS is addressing the greatest risk areas appropriately.

Recommendation: The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it would develop a standardized process for all Authorized e-file Providers to report security incidents to IRS. IRS said it plans to update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include this standardized process by November 2020.

Recommendation: The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS agreed with this recommendation. In November 2019, IRS said it agreed with this recommendation with respect to the formal process for tax professionals to report data breaches to the IRS through the Stakeholder Liaison function within the Communications and Liaison organization. According to IRS, procedures are documented in the Data Breach Incident Reporting Instructions that are followed during the intake process. IRS said that upon completion, the breach information is disseminated to other offices within the IRS, depending on the nature of the breach incident reported. According to IRS, all 2018 and 2019 Tax Pro Data Breach incidents remain stored in the Data Breach module of the Return Preparer Database. We will follow up to confirm the information IRS described and determine if these procedures cover all of the IRS offices included in our report.

Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to take additional actions to improve performance against unmet timeliness goals. This includes steps to improve performance of senior official misconduct investigations and military service reprisal intakes, and to resolve disagreement on notifications. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the DOD and military service Inspectors General had convened a working group to coordinate performance improvement on unmet timeliness goals. According to the IG, the working group's recommendations are being incorporated into uniform standards for reprisal investigations that are expected to be finalized in the second quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Air Force Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 3)

Agency: Department of Defense
Status: Open

Comments: The Air Force Inspector General concurred with this recommendation, and the DOD Officer of Inspector General stated in December 2019 that the Air Force Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Marine Corps Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 4)

Agency: Department of Defense
Status: Open

Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Naval Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access to sensitive whistleblower information in the current case management system and associated document repository is limited to information that is necessary to accomplish assigned tasks. (Recommendation 6)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to develop a plan to fully restrict case access in the future whistleblower enterprise case management system so that user access is limited to information necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 7)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the future whistleblower case management system would incorporate design limits providing for access to information only by personnel necessary to accomplish assigned tasks in accordance with organizational missions and business functions. According to the IG, the system is scheduled to deploy in the third quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The DOD Inspector General should enhance its process for periodically reviewing whistleblower case management system and document repository user privileges by including steps to ensure that such privileges remain valid after system updates, as appropriate. (Recommendation 8)

Agency: Department of Defense
Status: Open

Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Air Force Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 9)

Agency: Department of Defense
Status: Open

Comments: The Air Force Inspector General concurred with this recommendation, and stated in December 2019 that an update scheduled for the end of April 2020 would enhance access control measures in its existing applications. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Army Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 10)

Agency: Department of Defense
Status: Open

Comments: The Army Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Army Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Marine Corps Inspector General should develop a plan to ensure that its redesigned whistleblower case management application restricts user access to information based on what is needed to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 11)

Agency: Department of Defense
Status: Open

Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Naval Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 12)

Agency: Department of Defense
Status: Open

Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

Recommendation: The Director of CFPB should identify additional sources of information, such as through registering CRAs or leveraging state information, that would help ensure the agency is tracking all CRAs that meet the larger participant threshold. (Recommendation 1)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they have reviewed state CRA registration information available to them, are working to obtain additional state registration information, and are exploring additional ways to leverage the information. GAO will continue to monitor CFPB's progress in leveraging additional sources of information that would help identify larger participant CRAs.

Recommendation: The Director of CFPB should assess whether its process for prioritizing CRA examinations sufficiently incorporates the data security risks CRAs pose to consumers, and take any needed steps identified by the assessment to more sufficiently incorporate these risks. (Recommendation 2)

Agency: Consumer Financial Protection Bureau
Status: Open

Comments: In July 2020, CFPB staff noted that they were assessing whether, and if so, how and when, to incorporate data security risks into their supervisory prioritization. As part of that evaluation, CFPB is assessing whether those processes should incorporate data security risks CRAs pose to consumers in light of the agency's statutory authorities, supervisory responsibilities, and resources. GAO will continue monitoring CFPB's assessment of prioritization of CRA data security risks.

Recommendation: Congress should consider providing the Federal Trade Commission with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act to help ensure that the agency has the tools it needs to most effectively act against data privacy and security violations. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: As of July 2020, Congress has not passed legislation to provide FTC with civil penalty authority for the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act.

Recommendation: The Chairman of the National Mediation Board should develop and execute a plan to address the rail arbitration case backlog. (Recommendation 1)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and stated that it is examining the growing arbitration backlog and investigating steps the Board may take to reduce it. In particular, the agency noted that it is discussing proposals with stakeholders and formulating a plan to reduce the backlog in 2018.

Recommendation: The Chairman of the National Mediation Board should develop and implement policies for approval and monitoring of employee requests for outside employment and other outside activities to prevent violations of ethics rules, consistent with Office of Government Ethics standards of conduct and federal internal control standards. (Recommendation 2)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. The agency stated that it has taken significant steps to investigate this matter and has established new controls in order to prevent this type of activity in the future, including establishing a relationship with the IG of the National Labor Relations Board to operate a telephone hotline and email address for the reporting of suspected fraud, waste and abuse at NMB.

Recommendation: The Chairman of the National Mediation Board should complete and take actions on the organizational climate assessment and survey results as a means to address employee concerns. (Recommendation 3)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. The agency stated that the Board is concerned that the 2017 Federal Employee Viewpoint Survey revealed a level of dissatisfaction among NMB employees. It plans to conduct an Internal Climate Assessment in 2018 and agency looks forward to the opportunity to better understand and address any employee concerns.

Recommendation: The Chairman of the National Mediation Board should revise NMB's travel policy and develop appropriate internal controls to ensure compliance with federal requirements for travel. (Recommendation 4)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation. The agency stated that it is in the process of reviewing the current travel policy, and will revise the policy to be in compliance with federal travel regulations as necessary.

Recommendation: The Chairman of the National Mediation Board should revise NMB's telework policy and develop appropriate internal controls to ensure compliance with federal requirements for telework. (Recommendation 5)

Agency: National Mediation Board
Status: Open

Comments: NMB agreed with this recommendation and stated that it will revise its telework policy and strengthen internal controls, as necessary.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: As of April 2020, we have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.

Recommendation: The IRS Commissioner should direct the appropriate IRS officials to strengthen the process for reasonably assuring that the Internal Revenue Manual (IRM) is reviewed annually to align with the current control procedures and guidance being implemented by agency personnel. This should include a mechanism for reasonably assuring that program owner directors (1) review their respective program control activities and related guidance annually and timely update the IRM as needed, (2) document their reviews, and (3) utilize interim guidance and supplemental guidance correctly for their intended purposes.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2018, IRS created an annual Internal Revenue Manual (IRM) review and certification requirement to reasonably assure that all IRM sections align with the current control procedures and guidance that IRS personnel are implementing. In addition, the Small Business/Self-Employed (SB/SE) and Tax Exempt & Government Entities (TE/GE) organizations developed action plans to achieve substantial compliance with this requirement. During fiscal year 2019, the SB/SE organization completed its action plan; however, IRS officials stated that the TE/GE organization will complete its action plan during fiscal year 2020. Further, in fiscal year 2019, the Large Business & International organization reviewed and analyzed the results of its involvement in the annual IRM certification process. Based on the results of its analysis, the organization developed an action plan to achieve substantial compliance with the IRM review and certification requirement, which IRS officials stated it will complete by December 2021.

Recommendation: To improve care for women veterans, the Secretary of Veterans Affairs should direct the Under Secretary for Health to strengthen the environment of care inspections process and VHA's oversight of this process by expanding the list of requirements that facility staff inspect for compliance to align with VHA's women's health handbook, ensuring that all patient care areas of the medical facility are inspected as required, clarifying the roles and responsibilities of VA medical facility staff responsible for identifying and addressing compliance, and establishing a process to verify that noncompliance information reported by facilities to VHA Central Office is accurate and complete.

Agency: Department of Veterans Affairs
Status: Open

Comments: As of October 2018, VA has taken some actions to address this recommendation, but additional actions are needed to fully implement it. We will update the status of this recommendation when we receive additional information from VA.

Recommendation: To improve care for women veterans, the Secretary of Veterans Affairs should direct the Under Secretary for Health to monitor women veterans' access to key sex-specific care services--mammography, maternity care, and gynecology--under current and future community care contracts. For those key services, monitoring should include an examination of appointment scheduling and completion times, driving times to appointments, and reasons appointments could not be scheduled with community providers.

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: As of June 2017, VHA still lacks data and performance measures for the availability under Choice of sex-specific care, such as mammograms, maternity care, or gynecology. In contrast, for another VA care in the community program, PC3 (a program that the Choice third party administrators also administer) VHA collects data and has performance measures to evaluate women veterans' access to mammography and maternity care. To fully implement this recommendation, VHA needs to extend the collection of data to include care delivered through the Choice Program and other community care programs and establish related performance measures. VA is in the process of letting contracts for its new community care program and is expected to have contracts in place for all regions of the country in fiscal year 2019

Recommendation: To improve the effectiveness of HHS guidance and oversight of privacy and security for health information the Secretary of Health and Human Services should establish performance measures for the Office of Civil Rights (OCR) audit program.

Agency: Department of Health and Human Services
Status: Open

Comments: The Department of Health and Human Services (HHS) concurred with the recommendation but has not yet provided sufficient evidence that it had implemented the recommendation. In particular, as of August 2020, the HHS Office for Civil Rights (OCR) has not yet reviewed the feasibility of performance measures as part of its audit program, and plans to do so only after implementing a future redesign of its audit program. We will continue to monitor HHS actions in response to this recommendation.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to define procedures for overseeing state-based marketplaces, to include day-to-day activities of the relevant offices and staff.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: To improve the oversight of privacy and security controls over the state-based marketplaces, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to require continuous monitoring of the privacy and security controls over state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities.

Agency: Department of Health and Human Services
Status: Open

Comments: The agency concurred with the recommendation and is actively working on addressing the recommendation. We will continue to work with the agency to verify whether implementation has occurred.

Recommendation: Congress may wish to consider directing DOT to study and provide a report to Congress identifying approaches for extracting, storing, and analyzing electronically collected motor carrier drivers' schedule data, including the potential benefits, privacy, and cost concerns, and options for how such concerns could be mitigated.

Agency: Congress
Status: Open

Comments: As of March 2020, Congress has taken no action to direct DOT to study this matter.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, in August 2017 the Project Management Office finalized guidance for developing cost estimates that generally includes the key practices discussed in our report. However, none of the cost estimates for three key investments fully met the practices associated with a comprehensive estimate. In October 2019, the Library provided evidence of its Monte-Carlo risk assessment process. We are currently assessing whether this process is consistent with the practices found in our Cost Estimating and Assessment Guide. We will continue to evaluate the Library's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, in August 2017 the Project Management Offices finalized guidance for developing schedules that generally includes the key practices discussed in our report. However, none of the schedules for three key investments fully met the practices associated with a well-constructed schedule. In October 2019, the Library provided the schedules that it uses to manage select projects. We are currently reviewing this scheduling documentation to determine the extent to which the Library is implementing its scheduling guidance.