Recommendations Database

GAO’s recommendations database contains report recommendations that still need to be addressed. GAO’s priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. Below you can search only priority recommendations, or search all recommendations.

Our recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Moreover, when implemented, some of our priority recommendations can save large amounts of money, help Congress make decisions on major issues, and substantially improve or transform major government programs or agencies, among other benefits.

As of November 30, 2021, there are 4659 open recommendations, of which 482 are priority recommendations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented.

Search Open Recommendations

1 - 5 of 5 Recommendations
Download CSV Download XLS

Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene

Show
5 Open Recommendations
5 Priority
Agency Recommendation Status
Office of the Secretary of Defense
Priority Rec.
This is a priority recommendation.
The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)
Open

The Department of Defense did not concur with this recommendation. A July 2020 letter from the DOD CIO's office stated that "the cyber landscape is constantly evolving with changes in technology, threats, and vulnerabilities. This requires DOD to reassess its cybersecurity priorities. Since the CDIP's approval in 2015, the Department has issued new or updated versions of the National Defense Strategy, DOD Cyber Strategy, Digital Modernization Strategy, DOD Cloud Strategy, Artificial Intelligence Strategy, and DoD Cybersecurity Risk Reduction Strategy, and a classified Top 10 Scorecard which

Office of the Secretary of Defense
Priority Rec.
This is a priority recommendation.
The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)
Open

In its March 2020 written comments, the DOD CIO's office partially concurred with this recommendation and stated that the department should complete two of the seven tasks from the DOD Cybersecurity Culture and Compliance Initiative (DC3I) that DOD had not completed: tasks two and six. At the time, DOD stated that these two tasks were the only two still actively being pursued and that the remaining five incomplete tasks were either implemented or had been overcome by events. DOD did not provide evidence that these five tasks had been implemented or elaborate on why it thought they had been

Office of the Secretary of Defense
Priority Rec.
This is a priority recommendation.
The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)
Open

The Department of Defense partially concurred with this recommendation. A July 2020 letter from the DOD CIO's office stated that the specific relevant CDIP tasks were identified only in classified communications between GAO and DOD and they are considering these matters further.

Office of the Secretary of Defense
Priority Rec.
This is a priority recommendation.
The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)
Open

The Department of Defense did not concur with this recommendation. In a July 2020 letter, the DOD CIO's office stated that the department would provide a more specific rationale for its position in a classified response. In a February 2021 update, the DOD CIO's office stated that the department will not pursue any efforts to implement this recommendation because GAO terminated the classified portion of this engagement and the CIO's office needed additional clarification from GAO on the recommendation. The classified communications GAO previously conducted with DOD adequately convey the scope

Office of the Secretary of Defense
Priority Rec.
This is a priority recommendation.
The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)
Open

The Department of Defense partially concurred with this recommendation. A July 2020 letter from the DOD CIO's office stated that DOD concurred that it will revise the recurring reports by merging the Cyber Hygiene and Top 10 Scorecards to further assist senior leader decision-making by correlating the data in both scorecards. The letter estimated that merger would be be completed by 1 Oct 2020. The letter identified three corrective actions the department planned to take in response to this recommendation. First it stated that DOD would demonstrate an interim merger of scorecard capabilities

Have a Question about a Recommendation?

For questions about a specific recommendation, contact the person or office listed with the recommendation. For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.