Recommendations Database

Jump To:

As of January 31, 2023, there are 4839 open recommendations that still need to be addressed. 470 of these are priority recommendations, those that we believe warrant priority attention. Learn more about our priority designation on our Recommendations page.

Search for open recommendations by agency, topic, subject, or keyword/phrase below, or view all open recommendations by agency.

Skip to main search results
Clear All Filters
1 - 18 of 18 Recommendations, including 1 Priority Recommendations

Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks

Show
1 Open Recommendations
Agency Recommendation Status
Cybersecurity and Infrastructure Security Agency The Director of the Cybersecurity and Infrastructure Security Agency should work with the Director of the Federal Insurance Office to produce a joint assessment for Congress on the extent to which the risks to the nation's critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response. (Recommendation 1)
Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

COVID-19: Current and Future Federal Preparedness Requires Fixes to Improve Health Data and Address Improper Payments

Show
1 Open Recommendations
Agency Recommendation Status
Cybersecurity and Infrastructure Security Agency The Director of the Cybersecurity and Infrastructure Security Agency should assess and document lessons learned from the COVID-19 pandemic's impacts on the Critical Manufacturing Sector. See the Critical Manufacturing Sector enclosure. (Recommendation 11)
Open

CISA agreed with our recommendation and stated that in March 2022 the agency conducted a pandemic lessons-learned workshop with members of the Critical Manufacturing Sector Coordinating Council to discuss pandemic impacts on the sector and related mitigation actions. CISA officials said they planned to use input from the workshop to develop an after-action report with recommendations for addressing pandemic-related impacts to the sector. In September 2022, CISA provided the Critical Manufacturing Pandemic Planning Guide (July 2022), which, according to officials, provides suggested guidelines

Critical Infrastructure Protection: CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing

Show
6 Open Recommendations
Agency Recommendation Status
Cybersecurity and Infrastructure Security Agency The Director of CISA should ensure that CISA's process for developing a prioritized list of critical infrastructure that would cause national or regional catastrophic effects if destroyed or disrupted reflects current threats. (Recommendation 1)
Open

DHS concurred with this recommendation and we will continue to monitor the agency's progress addressing it.

Cybersecurity and Infrastructure Security Agency The Director of CISA should ensure that CISA's process for developing a prioritized list of critical infrastructure that would cause national or regional catastrophic effects if destroyed or disrupted includes input from additional states that have not provided recent nominations or updates. (Recommendation 2)
Open

DHS concurred with this recommendation and we will continue to monitor the agency's progress addressing it.

Cybersecurity and Infrastructure Security Agency The Director of CISA should ensure that stakeholders are fully engaged in the implementation of the National Critical Functions framework. (Recommendation 3)
Open

DHS concurred with this recommendation and we will continue to monitor the agency's progress addressing it.

Cybersecurity and Infrastructure Security Agency The Director of CISA should document, as appropriate, goals and strategies for the National Critical Functions framework. (Recommendation 4)
Open

DHS concurred with this recommendation and we will continue to monitor the agency's progress addressing it.

Cybersecurity and Infrastructure Security Agency The Director of CISA should implement processes to improve communication and coordination between critical infrastructure organizations and CISA headquarters and regional staff. (Recommendation 5)
Open

DHS concurred with this recommendation and we will continue to monitor the agency's progress addressing it.

Cybersecurity and Infrastructure Security Agency The Director of CISA should coordinate with relevant regionally based, federal, and nonfederal partners to regularly develop and distribute regionally specific threat information to each of CISA's 10 regions. (Recommendation 6)
Open

DHS concurred with this recommendation and we will continue to monitor the agency's progress addressing it.

Critical Infrastructure Protection: CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector

Show
3 Open Recommendations
Agency Recommendation Status
Cybersecurity and Infrastructure Security Agency The Director of CISA should assess the effectiveness of CISA's programs and services to support the Communications Sector, including developing and implementing metrics and analyzing feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience. (Recommendation 1)
Open

In November 2021, we reported that CISA had numerous programs and services to support the security and resilience of the Communications Sector, but CISA had not assessed the effectiveness of these actions. Specifically, we found that CISA had not developed metrics or analyzed feedback received from Communications Sector owners and operators to determine if those entities found its programs and services useful or relevant. Further, CISA had not evaluated its programs and services to determine which types of Communications Sector owners and operators may benefit most from participation

Cybersecurity and Infrastructure Security Agency The Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. (Recommendation 2)
Open

In November 2021, we reported that CISA had taken actions to support emergency preparedness for the Communications Sector, but had not completed an assessment of its capabilities to perform as the federal coordinator for Emergency Support Function #2, as called for in Federal Emergency Management Agency (FEMA) guidance. As a result, we recommended the Director of CISA should complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other

Cybersecurity and Infrastructure Security Agency The Director of CISA, in coordination with public and private Communications Sector stakeholders, should produce a revised Communications Sector-Specific Plan, to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities. (Recommendation 3)
Open

In November 2021, we reported that CISA had not produced an updated Communications Sector-Specific Plan since 2015 even though, according to DHS's National Infrastructure Protection Plan, each critical infrastructure sector should update its sector-specific plan every 4 years to reflect sector priorities and describe national preparedness efforts, among other things. During our review, CISA officials told us that CISA had not updated its Communications Sector-Specific Plan because the majority of the plan was still valid; however, these officials also acknowledged that certain elements of the

Chemical Security: Overlapping Programs Could Better Collaborate to Share Information and Identify Potential Security Gaps

Show
1 Open Recommendations
Agency Recommendation Status
Cybersecurity and Infrastructure Security Agency DHS's Cybersecurity and Infrastructure Security Agency should collaborate with the EPA to assess the extent to which potential security gaps exist at water and wastewater facilities and, if gaps exist, develop a legislative proposal for how best to address them and submit it to the Secretary of Homeland Security and Administrator of EPA, and Congress, as appropriate. (Recommendation 6)
Open – Partially Addressed

DHS concurred with this recommendation, and described planned steps it would take to implement it, including working with EPA to identify and explore possible approaches for assessing potential security gaps that exist at water and wastewater facilities broadly. In response, DHS and EPA officials began discussing options to assess the extent to which potential security gaps exist, identify and evaluate options for addressing such gaps, and determine if any additional action, such as a legislative proposal, is warranted. As of October 2022, subject matter experts from DHS and EPA concluded that

Critical Infrastructure Protection: Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk Chemical Facilities

Show
5 Open Recommendations
1 Priority
Agency Recommendation Status
Cybersecurity and Infrastructure Security Agency The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. (Recommendation 2)
Open

DHS concurred with this recommendation and stated that CISA agrees that it is important to ensure cybersecurity training supports program goals, whether relating to inspector-specific or program-specific performance maintenance or improvement goals. According to CISA officials, as of November 2022 the CFATS inspector auditing program, which is one way CISA assesses the effectiveness of its training programs, remained on pause due to COVID-19 concerns. CISA officials anticipate resuming the audit program during fiscal year 2022. Once reinitiated, the inspector audit program will allow CISA to

Cybersecurity and Infrastructure Security Agency The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings. (Recommendation 3)
Open

DHS concurred with this recommendation and stated that CISA agrees that process improvements to better document and evaluate the effectiveness of the training provided to CFATS staff are worthwhile. As of November 2022, CISA officials reported that the CFATS program launched a new system for managing cybersecurity and other internal CFATS training. According to the officials, the new system can track all participants, test scores, and certificates for internal cybersecurity training. CISA officials also reported that they were in the process of loading courses and training records to the new

Cybersecurity and Infrastructure Security Agency The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms. (Recommendation 4)
Open

DHS concurred with this recommendation and stated that evaluating the effectiveness of training is beneficial and CISA will work to ensure that all cybersecurity courses provided to CISA chemical security staff are evaluated for effectiveness. As of November 2022, CISA officials reported that the CFATS program does not have a process for conducting an overall review of the effectiveness of CFATS training and was reviewing options to support an annual review process. According to the officials, the annual review process would seek to determine: the efficacy of each course; what changes may be

Cybersecurity and Infrastructure Security Agency
Priority Rec.
This is a priority recommendation.
The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them. (Recommendation 5)
Open

As of January 2023, DHS issued new guidance to assist with chemical security workforce planning and CISA officials estimate that they will implement the requirements of the workforce plan by August 2023. Fully addressing this recommendation by developing a workforce plan that includes analysis of any gaps in the chemical security program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them, will help the program ensure that it has the appropriate number of staff to carry out cybersecurity-related efforts.

Cybersecurity and Infrastructure Security Agency The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. (Recommendation 6)
Open

DHS concurred with this recommendation and stated that CISA retains information on cyber integration levels for regulated facilities, but that it is not in a readily accessible format. As of November 2022, CISA officials reported that the agency is creating a tool to automate the locating and reporting of a facility's cyber integration level data. In addition, the officials stated that CISA is updating its web portal used by chemical facility operators to include a question concerning facility cyber integration levels. Regarding inspector cybersecurity expertise, CISA officials stated that the

Election Security: DHS Plans Are Urgently Needed to Address Identified Challenges Before the 2020 Elections

Show
1 Open Recommendations
Agency Recommendation Status
Cybersecurity and Infrastructure Security Agency The CISA Director should document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency's 2020 planning. (Recommendation 3)
Open

The agency agreed with the recommendation and has taken steps towards implementing it. We reported that CISA's strategic plan had only addressed three challenges from its external lessons learned review. Subsequently, CISA addressed two additional challenges in its operations plan and its election infrastructure subsector-specific plan. CISA's plans addressed, among others, challenges regarding the agency's role in sharing and collecting intelligence across the election community and facilitating industry-wide vulnerability disclosures. Additionally, CISA conducted a review following the 2020

Have a Question about a Recommendation?

For questions about a specific recommendation, contact the person or office listed with the recommendation. For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.