Skip to main content
.
Share with LinkedInShare with TwitterShare with facebook

Highlights

What GAO Found

Overall ratings in 2021 for 20 of GAO’s 2019 high-risk areas remain unchanged, and five regressed. Seven areas improved, one to the point of removal from the High-Risk List. Two new areas are being added, bringing our 2021 High-Risk List to 36 areas. Where there has been improvement in high-risk areas, congressional actions, in addition to those by executive agencies, have been critical in spurring progress.

GAO is removing Department of Defense (DOD) Support Infrastructure Management from the High-Risk List. Among other things, DOD has more efficiently utilized military installation space; reduced its infrastructure footprint and use of leases, reportedly saving millions of dollars; and improved its use of installation agreements, reducing base support costs

GAO is narrowing the scope of three high-risk areas by removing segments of the areas due to progress that has been made. The affected areas are: (1) Federal Real Property (Costly Leasing) because the General Services Administration has reduced its reliance on costly leases and improved monitoring efforts; (2) DOD Contract Management (Acquisition Workforce) because DOD has significantly rebuilt its acquisition workforce; and (3) Management of Federal Oil and Gas Resources (Offshore Oil and Gas Oversight) because the Department of the Interior's Bureau of Safety and Environmental Enforcement has implemented reforms improving offshore oil and gas oversight.

National Efforts to Prevent, Respond to, and Recover from Drug Misuse is being added to the High-Risk List. National rates of drug misuse have been increasing, and drug misuse has resulted in significant loss of life and harmful effects to society and the economy. GAO identified several challenges in the federal government’s response, such as a need for greater leadership and coordination of the national effort, strategic guidance that fulfills all statutory requirements, and more effective implementation and monitoring.

Emergency Loans for Small Businesses also is being added. The Small Business Administration has provided hundreds of billions of dollars’ worth of loans and advances to help small businesses recover from adverse economic impacts created by COVID-19. While loans have greatly aided many small businesses, evidence of fraud and significant program integrity risks need much greater oversight and management attention.

Nine existing high-risk areas also need more focused attention (see table).
2021 High-Risk List Areas Requiring Significant Attention

High-risk areas that regressed since 2019

High-risk areas that need additional attention

USPS Financial Viability

IT Acquisitions and Operations

Decennial Census

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

Ensuring the Cybersecurity of the Nation

U.S. Government’s Environmental Liability

Strategic Human Capital Management

Improving Federal Oversight of Food Safety

EPA’s Process for Assessing and Controlling Toxic Chemicals
Source: GAO. | GAO-21-119SP
GAO’s 2021 High-Risk List

High-risk area

Change since 2019

Strengthening the Foundation for Efficiency and Effectiveness

Strategic Human Capital Management

Managing Federal Real Property a

Funding the Nation’s Surface Transportation System b c

n/a

Modernizing the U.S. Financial Regulatory System b

Resolving the Federal Role in Housing Finance b

USPS Financial Viability b

Management of Federal Oil and Gas Resources a

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks b

Improving the Management of IT Acquisitions and Operations

Improving Federal Management of Programs That Serve Tribes and Their Members

Decennial Census

U.S. Government’s Environmental Liability b

Emergency Loans for Small Businesses (new) c

n/a

Transforming DOD Program Management

DOD Weapon Systems Acquisition

DOD Financial Management

DOD Business Systems Modernization

DOD Approach to Business Transformation

Ensuring Public Safety and Security

Government-wide Personnel Security Clearance Process b

Ensuring the Cybersecurity of the Nation b

Strengthening Department of Homeland Security Management Functions

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Improving Federal Oversight of Food Safety b

Protecting Public Health through Enhanced Oversight of Medical Products

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

National Efforts to Prevent, Respond to, and Recover from Drug Misuse (new) c

n/a

Managing Federal Contracting More Effectively

VA Acquisition Management d

n/a

DOE’s Contract and Project Management for the National Nuclear Security Administration and Office of Environmental Management

NASA Acquisition Management

DOD Contract Management a

Assessing the Efficiency and Effectiveness of Tax Law Administration

Enforcement of Tax Laws b

Modernizing and Safeguarding Insurance and Benefit Programs

Medicare Program & Improper Payments e

Strengthening Medicaid Program Integrity b

Improving and Modernizing Federal Disability Programs

Pension Benefit Guaranty Corporation Insurance Programs b c

n/a

National Flood Insurance Program b

Managing Risks and Improving VA Health Care b

( indicates area progressed on one or more criteria since 2019; indicates area declined on one or more criteria ; ● indicates no change; n/a = not applicable)
Source: GAO. | GAO-21-119SP

aRatings for a segment within this high-risk area improved sufficiently that the segment was removed.
bLegislation is likely to be necessary in order to effectively address this high-risk area.
cNot rated, because this high-risk area is newly added or primarily involves congressional action.
dRated for the first time, because this high-risk area was newly added in 2019.
eOnly rated on one segment; we did not rate other elements of the Medicare program.

Why GAO Did This Study

The federal government is one of the world’s largest and most complex entities; about $6.6 trillion in outlays in fiscal year 2020 funded a broad array of programs and operations. GAO’s High-Risk Series identifies government operations with vulnerabilities to fraud, waste, abuse, and mismanagement, or in need of transformation to address economy, efficiency, or effectiveness challenges.

This biennial update describes the status of high-risk areas, outlines actions that are still needed to assure further progress, and identifies any new high-risk areas needing attention by the executive branch and Congress. Solutions to high-risk problems save billions of dollars, improve service to the public, and strengthen government performance and accountability.

GAO uses five criteria to assess progress in addressing high-risk areas: (1) leadership commitment, (2) agency capacity, (3) an action plan, (4) monitoring efforts, and (5) demonstrated progress.

What GAO Recommends

This report describes GAO’s views on progress made and what remains to be done to bring about lasting solutions for each high-risk area. Addressing GAO’s hundreds of open recommendations across the high-risk areas and continued congressional oversight and action are essential to achieving greater progress.

Introduction 


Since the early 1990s, our high-risk program has focused attention on government operations with greater vulnerabilities to fraud, waste, abuse, and mismanagement, or that are in need of transformation to address economy, efficiency, or effectiveness challenges. This effort, supported by the Senate Committee on Homeland Security and Governmental Affairs and by the House of Representatives Committee on Oversight and Reform, has brought much needed attention to problems impeding effective government and costing billions of dollars each year.

We have made hundreds of recommendations to reduce the government’s high-risk challenges. Executive agencies either have addressed or are addressing many of them and, as a result, progress is being made in a number of areas.

Congress also continues to take important actions. For example, Congress has enacted a number of laws in recent years that are helping to make progress on high-risk issues. Financial benefits to the federal government due to progress in addressing high-risk areas over the past 15 years (fiscal year 2006 through fiscal year 2020) totaled nearly $575 billion or an average of about $38 billion per year. Since our last update in 2019, we recorded approximately $225 billion in financial benefits. [1]

Nonetheless, substantial efforts are needed on high-risk areas to achieve greater progress and to address regression in some areas since the last high-risk update in 2019. Tens of billions of dollars in additional benefits and substantial improvements to the health, well-being, and security of the nation would be achieved by fully addressing high-risk issues. Sustained congressional attention and executive branch leadership remain key to success.

The nation faces unprecedented challenges that require the federal government to perform better, be more responsive to the American people, and achieve greater results. Major issues facing the nation include the Coronavirus Disease 2019 (COVID-19) pandemic, economic downturns and the federal response, race in America, and the federal government’s ability to meet these and other strategic challenges and perform better. [2] Concerted action on High-Risk List areas is vital to build the capacity of the federal government and make progress on the current and emerging challenges facing the nation.

We are issuing this year’s High-Risk Report while the federal government and the country continue to respond to and recover from the COVID-19 pandemic. In addition to catastrophic loss of life, the pandemic has caused substantial damage to the economy, with many people temporarily or permanently unemployed. Moreover, the surge in cases this winter has overwhelmed the health care system in multiple areas across the country.

The CARES Act includes a provision for us to conduct monitoring and oversight of the federal government’s efforts to prepare for, respond to, and recover from the COVID-19 pandemic. [3] As of January 2021, we had issued six reports in response to this provision, made 44 recommendations to federal agencies, and raised four matters for congressional consideration to improve the federal government’s response efforts. [4] Agencies agreed with some of these recommendations and disagreed with others. We maintain that all our recommendations are warranted. We also have other work under way that addresses the government’s response and recovery activities. [5]

We urge Congress and the administration to take swift action in implementing these recommendations and matters. We will continue to provide ongoing oversight of the federal government’s pandemic response and recovery efforts. This report discusses the Department of Health and Human Services’ (HHS) leadership and coordination of public health emergencies as an emerging issue meriting close attention.

COVID-19 has particularly affected several areas on the High-Risk List, including the Decennial Census, Protecting Public Health through Enhanced Oversight of Medical Products, Improving and Modernizing Federal Disability Programs, Enforcement of Tax Laws, and others. The effects of COVID-19 on individual high-risk areas are discussed further in appendix II, where we discuss the status of each high-risk area.

This report describes (1) progress made addressing high-risk areas and the reasons for that progress, and (2) actions that are still needed. It also identifies two new high-risk areas—National Efforts to Prevent, Respond to, and Recover from Drug Misuse and Emergency Loans for Small Businesses—and one high-risk area we removed from the list because it demonstrated sufficient progress in managing risk—Department of Defense (DOD) Support Infrastructure Management.

This report is based primarily on reports we had issued as of mid-January 2021.

Executive Summary 

How We Identify and Rate High-Risk Areas

To determine which federal government programs and functions should be designated high risk, we use our guidance document, Determining Performance and Accountability Challenges and High Risks. [6]

We consider qualitative factors, such as whether the risk
  • involves public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens’ rights, or
  • could result in significantly impaired service; program failure; injury or loss of life; or significantly reduced economy, efficiency, or effectiveness.

We also consider the exposure to loss in monetary or other quantitative terms. At a minimum, $1 billion must be at risk, in areas such as the value of major assets being impaired; revenue sources not being realized; major agency assets being lost, stolen, damaged, wasted, or underutilized; potential for, or evidence of, improper payments; and presence of contingencies or potential liabilities.

Before making a high-risk designation, we also consider corrective measures planned or under way to resolve a material control weakness and the status and effectiveness of these actions.

Our experience has shown that the key elements needed to make progress in high-risk areas are top-level attention by the administration and agency leaders grounded in the five criteria for removal from the High-Risk List, as well as any needed congressional action. The five criteria for removal are as follows:
  • Leadership commitment. Demonstrated strong commitment and top leadership support.
  • Capacity. Agency has the capacity (i.e., people and resources) to resolve the risk(s).
  • Action plan. A corrective action plan exists that defines the root cause and solutions and provides for substantially completing corrective measures, including steps necessary to implement solutions we recommended.
  • Monitoring. A program has been instituted to monitor and independently validate the effectiveness and sustainability of corrective measures.
  • Demonstrated progress. Ability to demonstrate progress in implementing corrective measures and in resolving the high-risk area.

We add clarity and specificity to our assessments by rating each high-risk area’s progress on the five criteria and use the following definitions:
  • Met. Actions have been taken that meet the criterion. There are no significant actions that need to be taken to further address this criterion.
  • Partially met. Some, but not all, actions necessary to meet the criterion have been taken.
  • Not met. Few, if any, actions toward meeting the criterion have been taken.

Figure 1 shows a visual representation of varying degrees of progress in each of the five criteria for a high-risk area. Each point of the star represents one of the five criteria for removal from the High-Risk List and each ring represents one of the three designations: not met, partially met, or met.

An unshaded point at the innermost ring means that the criterion has not been met, a partially shaded point at the middle ring means that the criterion has been partially met, and a fully shaded point at the outermost ring means that the criterion has been met. Further, a plus symbol inside the star indicates the rating for that criterion progressed since our last high-risk update. Likewise, a minus symbol inside the star indicates the rating for that criterion declined since our last update.

Figure 1: Illustrative Example of High-Risk Progress Criteria Ratings

Some high-risk areas are made up of segments or subareas that make up the overall high-risk area. For example, the high-risk area Protecting Public Health through Enhanced Oversight of Medical Products includes two segments—Response to Globalization and Drug Availability—to reflect two interrelated parts of the overall high-risk area.

Multidimensional high-risk areas such as these have separate ratings for each segment as well as a summary rating of the overall high-risk area that reflects a composite of the ratings received under the segment for each of the five high-risk criteria. High-risk areas that are primarily based on the need for congressional action are not rated on the criteria and do not receive a star graphic.

Changes to the 2021 High-Risk List

DOD Support Infrastructure Management is being removed from the list due to the progress that was made in addressing the issue. As we have with areas previously removed from the High-Risk List, we will continue to monitor this area to ensure that the improvements we have noted are sustained. If significant problems again arise, we will consider reapplying the high-risk designation.

As discussed below, we added two areas to the High-Risk List since our 2019 update: National Efforts to Prevent, Respond to, and Recover from Drug Misuse; and Emergency Loans for Small Businesses.

In addition to specific areas that we have designated as high risk, other important challenges facing our nation merit continuing close attention. One of these is HHS’s leadership and coordination of public health emergencies. Another challenge is the management of the federal prison system, including programs that help inmates prepare for a successful return to the community.

DOD Support Infrastructure Management Removed from the High-Risk List

We are removing the DOD Support Infrastructure Management high-risk area as DOD has addressed the remaining actions and outcomes from our 2019 High-Risk Report. For example, under an Office of Management and Budget (OMB) program to restrict the growth of excess or underutilized federal properties, DOD contributed to reductions of 68 percent of total government-wide office and warehouse space and 75 percent of other government-wide properties.

DOD also reduced base support costs by implementing our October 2018 recommendations to monitor and evaluate use of intergovernmental support agreements between military installations and local governments. In addition, DOD more efficiently utilized installation space through its reduction of leases, reportedly saving millions of dollars. For example, the Army reduced its leased footprint in the National Capital Region from a peak of 3.9 million square feet in 2011 to roughly 1 million square feet as of September 2019.

DOD is also well positioned for the future to continue improving its support infrastructure management as it formally committed in October 2019 to implement our remaining recommendations related to future Base Realignment and Closure rounds. These recommendations included fully identifying the cost requirements for military construction, information technology (IT), and relocating personnel and equipment.

DOD continues to correct identified real property data discrepancies by issuing new requirements and processes. For example, the Air Force has established a data quality program with a goal of 100 percent accuracy by September 2023, which will help make further improvements to accuracy and completeness of its data moving forward.

While we are removing DOD Support Infrastructure from the High-Risk List, it does not mean DOD has addressed all risk within this area. It remains important that senior leaders continue their efforts to align infrastructure with the needs of the forces. Therefore, we will continue to examine DOD’s efforts, including improving the completeness and accuracy of its real property data as part of our high-risk areas on Managing Federal Real Property and DOD Financial Management.

See appendix II for additional detail on this high-risk area.

National Efforts to Prevent, Respond to, and Recover from Drug Misuse Added to the High-Risk List

Drug misuse—the use of illicit drugs and the misuse of prescription drugs—has been a persistent and long-standing public health issue in the United States. Ongoing efforts seek to address drug misuse through education and prevention, substance use disorder treatment, law enforcement and drug interdiction, and programs that serve populations affected by drug misuse. These efforts involve federal, state, local, and tribal governments as well as community groups and the private sector.

Drug misuse represents a serious risk to public health. It has resulted in significant loss of life and harm to society and the economy. In recent years, the federal government has spent billions of dollars and has enlisted more than a dozen agencies to address drug misuse and its effects.

We determined in March 2020 that this issue is high risk. At that time, in consideration of the challenges from the onset of the COVID-19 pandemic, we reported we would be making the high-risk designation effective in 2021. We also noted that the public health and economic effects from the COVID-19 pandemic could fuel contributing factors of drug misuse, such as unemployment.

In December 2020, the Centers for Disease Control and Prevention (CDC) reported, based on its analysis of National Center for Health Statistics provisional data, that the largest recorded increase of drug overdose deaths occurred during the 12-month period ending in May 2020. In particular, CDC reported a concerning acceleration of the increase in drug overdose deaths from March 2020 to May 2020, coinciding with the implementation of widespread mitigation measures for the COVID-19 pandemic.

Even before the COVID-19 pandemic, rates of drug misuse had increased from 2002 through 2019, and the rates of drug overdose deaths had also generally increased nationally from the early 2000s through 2019. Although the rate of drug overdose deaths in 2018 decreased compared to 2017, this improvement was reversed in 2019, as shown in figure 2.

Figure 2: Rate of Drug Overdose Deaths in the United States, 2002–2019

Note: CDC adjusts drug overdose death rates for age and the population size to control for the changing age distribution and size of the population, and thereby allows comparisons of rates over time. Data are not yet available for all of 2020. However, in December 2020, CDC reported, based on its analysis of National Center for Health Statistics provisional data, that the largest recorded increase of drug overdose deaths occurred during the 12-month period ending in May 2020.

The Office of National Drug Control Policy (ONDCP) is responsible for overseeing and coordinating the implementation of U.S. drug control policy, including developing the National Drug Control Strategy (Strategy). ONDCP produced the Strategy in 2019 and 2020, but neither iteration contained all the elements required by law. For example, the 2020 Strategy did not include the required 5-year projection for the National Drug Control Program and budget priorities. It also did not include estimates of federal funding or other resources needed to achieve each of the Strategy’s long-range quantifiable goals.

Furthermore, in November 2020, we found that the 2020 National Drug Control Assessment, a companion document to the Strategy, did not include complete information on performance measures for a number of programs related to the Strategy’s prevention goals. Across our body of work, we have made recommendations to ONDCP and other National Drug Control Program agencies to help ensure that future iterations of the Strategy include all statutorily required elements and to ensure effective, sustained implementation of the Strategy. Agencies have generally agreed with our recommendations.

Our past work also found that the federal government has faced barriers to increasing treatment capacity and that treatment availability for substance use disorders has not kept pace with needs. For example, we reported in December 2020 that, according to stakeholders, barriers to expanding substance use disorder treatment include shortages in the treatment workforce, insurance reimbursement and payment models, federal and state requirements, and stigma.

According to Substance Abuse and Mental Health Services Administration data as of May 2020, nearly one-third of counties (31 percent) had no facilities offering any level of substance use disorder treatment. Additionally, overdose death rates vary in counties across the nation—for example, in 2017, 1,354 counties (43.2 percent of counties) had estimates of more than 20 drug overdose deaths per 100,000 people, including 448 counties with rates that were significantly higher than this amount.

We have also reported on agency efforts to ensure legitimate access to pain medication amid initiatives to reduce drug misuse. For example, we have reported on the role of provider education in improving access to prescription pain relievers for patients with a legitimate need for pain relief.

Addressing the drug misuse crisis also requires the capacity to address the effects of drug misuse on individuals and society. For example, as we reported in May 2020, providing clearer direction on the role of states and use of grant funding to address the employment and training needs of those affected by substance use disorders could help ensure the economic well-being of communities affected by drug misuse.

Furthermore, our past work has identified gaps in the availability and reliability of data for measuring the federal government’s progress to address drug misuse. For example, while ONDCP has made some efforts to support and improve existing data sources, ONDCP has not taken action to lead a review of these data to identify ways to improve the timeliness, accuracy, and accessibility of fatal and nonfatal overdose data.

Maintaining sustained attention to preventing, responding to, and recovering from drug misuse will be challenging in the coming months as many of the federal agencies responsible for addressing drug misuse are currently focused on addressing the COVID-19 pandemic. This makes developing and implementing a coordinated, strategic approach even more important as agencies’ resources are also being diverted, in part, to pandemic priorities.

See appendix II for additional detail on this high-risk area, including more details on actions that need to be taken.

Emergency Loans for Small Businesses Added to the High-Risk List

In an effort to quickly help small businesses adversely affected by COVID-19, Congress created the Paycheck Protection Program (PPP) and expanded eligibility for Economic Injury Disaster Loans (EIDL). PPP loans are low interest and fully forgivable if, among other things, a certain percentage was spent for payroll costs.

EIDLs are low-interest loans of up to $2 million for operating and other expenses. In addition, in March 2020, Congress created a new component of the EIDL program—advances of up to $10,000 that do not need to be repaid.

Between March and December 2020, the Small Business Administration (SBA), which administers both programs, made or guaranteed more than 14.7 million loans and grants totaling about $744 billion. This far exceeded its regular levels of lending. In December 2020, Congress appropriated an additional $284 billion for PPP and $20 billion for a targeted EIDL advance program for certain small businesses in low-income communities.

While millions of small businesses have benefited from these programs, the speed with which they were implemented left SBA with limited safeguards to identify and respond to program risks, including susceptibility to improper payments and potential fraud. Since June 2020, we have reported on the potential for fraud in both PPP and EIDL. As a result, we have determined that these programs are high risk because of their potential for fraud, significant program integrity risks, and need for much greater program management and oversight.

We reported in June 2020 that to streamline both programs, the CARES Act and SBA relaxed some approval requirements. For example, SBA’s initial interim final rule allows lenders to rely on borrower certifications to determine the borrower’s eligibility for PPP. We noted that reliance on self-certifications can leave a program vulnerable to exploitation by those who wish to circumvent eligibility requirements or pursue criminal activities. Therefore, we recommended that SBA develop and implement plans to identify and respond to risks in PPP to ensure program integrity, achieve program effectiveness, and address potential fraud.

SBA neither agreed nor disagreed with our recommendation at that time. However, in early December 2020, SBA officials said the agency had completed oversight plans and provided a document that SBA characterized as an overview of these plans. SBA provided a more detailed document in late December 2020, but that document did not contain detailed policies and procedures for some loan reviews or loan forgiveness reviews. According to SBA officials, these were in the process of being updated.

Consistent with our recommendation, the Consolidated Appropriations Act, 2021, requires SBA to submit to the Senate and House Small Business Committees an audit plan that details the policies and procedures for conducting forgiveness reviews and audits of PPP loans within 45 days of enactment and to provide monthly updates thereafter. [7]

In January 2021, we reported that SBA data on businesses’ self-reported industries showed that the agency approved EIDL loans and advances for potentially ineligible businesses. For example, as of September 30, 2020, SBA had approved at least 3,000 loans totaling about $156 million to potentially ineligible businesses in industries, such as real estate development and multilevel marketing, that SBA policies state were ineligible for the EIDL program. Therefore, we recommended that SBA develop and implement portfolio-level data analytics across EIDL loans and advances made in response to COVID-19 as a means to detect potentially ineligible and fraudulent applications.

SBA neither agreed nor disagreed with our recommendation. SBA stated that a business being in one of the categories we deemed ineligible does not automatically mean the business was ineligible. However, we did not state that the businesses were automatically ineligible. The type of analysis we conducted is intended to flag potential cases of ineligible borrowers for additional oversight. SBA did not indicate in its response any plans to conduct such an analysis. We maintain that portfolio-level data analytics could improve SBA’s management of fraud risk.

In December 2020, Congress appropriated an additional $20 billion for targeted EIDL advances. [8] The advances are restricted to certain eligible companies that are located in low-income communities, have suffered an economic loss of more than 30 percent, and have no more than 300 employees. Congress also required SBA to perform eligibility verification for advances and permitted SBA to require additional information, such as tax returns, from applicants for loans and advances as part of its verification.

As we reported in November 2020, it is especially important for agencies with large appropriated amounts, like SBA, to quickly estimate their improper payments, identify root causes, and develop corrective actions when there are concerns about the possibility of widespread improper payments, such as from fraudulent activity. Because SBA had not done so for PPP, we recommended that SBA expeditiously estimate improper payments and report estimates and error rates for PPP.

SBA neither agreed nor disagreed with our recommendation at that time. In response to our recommendation, SBA stated that it was planning to conduct improper payment testing for PPP. However, the agency has not provided documentation of its plans for testing, including estimates of improper payments and error rates for PPP.

In December 2020, SBA’s independent financial statement auditor issued a disclaimer of opinion on SBA’s consolidated financial statements as of and for the year ended September 30, 2020, meaning the auditor was unable to express an opinion due to insufficient evidence. As the basis for the disclaimer, the auditor stated that SBA was unable to provide adequate documentation to support a significant number of transactions and account balances related to PPP and EIDL due to inadequate processes and controls.

Finally, as we have reported since June 2020, SBA’s failures to provide data and documentation on a timely basis for PPP and EIDL have impeded our efforts to evaluate the programs. As of January 2021, we continued to experience delays in obtaining key information from SBA, including detailed oversight plans and documentation for estimating improper payments. The Consolidated Appropriations Act, 2021, requires SBA to respond to requests from GAO within 15 days (or such later date as the Comptroller General may provide) or report to Congress on the reasons for the delay. [9]

See appendix II for additional detail on this high-risk area, including more details on actions that need to be taken.

Emerging Issues Requiring Close Attention

In addition to specific areas that we have designated as high risk, we have ongoing and planned work on two other major issues—HHS’s leadership and coordination of public health emergencies and the management of the federal prison system—that may lead us to designate the issues as high risk when that work is completed.

HHS’s Leadership and Coordination of Public Health Emergencies

HHS is the federal agency charged with leading and coordinating the preparedness for, response to, and recovery from public health and medical emergencies, whether naturally occurring or intentional.

The current pandemic has underscored concerns that we have previously raised with HHS’s leadership and coordination of public health emergencies. Through our previous work on public health emergencies and the current pandemic, we have made a number of recommendations to HHS, many of which are reflected in these four principles of an effective response.

Establish clear goals and define roles and responsibilities among those responding to a crisis. The unprecedented scale of the COVID-19 pandemic, and the whole-of-government response required to address it, highlight the critical importance of clearly defining the roles and responsibilities for the wide range of federal departments and other key players involved when preparing for pandemics and addressing unforeseen emergencies.

In September 2020, we reported that many medical supply management responsibilities that have been shared between multiple agencies are now transitioning to HHS. We found that transition planning efforts are under way, but have not yet culminated in a written plan.

We recommended that HHS immediately document roles and responsibilities for supply chain management functions transitioning to HHS, including continued support from other federal partners. HHS disagreed with this recommendation. We maintain that our recommendation is warranted.

Further, in January 2021, we found that HHS had yet to develop a process for engaging with key stakeholders on a supply strategy. These stakeholders, including state and territorial governments and the private sector, have a shared role for providing supplies during a pandemic. We recommended that HHS develop such a process. HHS generally concurred with our recommendation while noting that it regularly engages with Congress and nonfederal stakeholders. We believe that capitalizing on existing relationships to further engage these critical stakeholders as HHS refines and implements a supply chain strategy will improve a whole-of-government response to, and preparedness for, pandemics.

Establish mechanisms for accountability and transparency. In emergency situations, such as the COVID-19 pandemic, transparency and accountability mechanisms are especially critical when agencies need to move quickly to get funding and information out the door. However, in November 2020, we reported that HHS decisions were not always transparent.

For example, we found that COVID-19 testing guidelines had changed several times over the course of the pandemic with little scientific explanation of the rationale behind the changes, raising the risk of confusing the public and eroding their trust. We made a related recommendation to improve transparency; HHS agreed with this recommendation.

Provide clear communication. In the midst of a nationwide emergency, clear and consistent communication—among all levels of government, with health care providers, and to the public—is key. However, we found this has not always been the case. For example, in January 2021, we reported that HHS had not issued a publicly available and comprehensive national COVID-19 testing strategy, creating the risk of key stakeholders and the public lacking crucial information to support an informed and coordinated testing response.

We recommended that such a strategy be developed and made public to allow for a more coordinated pandemic testing approach. HHS partially concurred with our recommendation and agreed that it should take steps to more directly incorporate some of the elements of an effective national strategy.

Additionally, in September 2020, we reported on the importance of timely, clear, and consistent communication to states to effectively plan for the distribution and administration of a COVID-19 vaccine. We recommended that HHS establish a time frame for documenting and sharing a national plan for distributing and administering COVID-19 vaccines. HHS neither agreed nor disagreed with this recommendation.

Under the Consolidated Appropriations Act, 2021, the Director of the Centers for Disease Control and Prevention is required to provide an updated and comprehensive COVID-19 vaccine distribution strategy and a spend plan to certain congressional committees within 30 days of enactment (by January 26, 2021). The strategy and plan must include, among other things, guidance for how states, localities, territories, tribes, health care providers, and others should prepare for, store, and administer vaccines. [10]

Our past work on lessons learned from the H1N1 vaccine campaign also points to the importance of effective communication about vaccine availability to successfully manage public expectations. Managing public expectations regarding the COVID-19 vaccine will be especially critical because initial supplies of vaccine have been limited. We are continuing to monitor HHS’s efforts related to COVID-19 vaccines.

Additionally, for vaccination efforts more generally, the Consolidated Appropriations Act, 2021, requires the Secretary of Health and Human Services to award competitive grants or contracts to one or more public or private entities to carry out a national, evidence-based campaign to increase awareness and knowledge of the safety and effectiveness of vaccines for the prevention and control of diseases, combat misinformation about vaccines, and disseminate scientific and evidence-based vaccine-related information, with the goal of increasing rates of vaccination across all ages, as applicable, particularly in communities with low rates of vaccination, to reduce and eliminate vaccine preventable diseases. [11]

Collect and analyze data to inform future decisions. Data collection and analysis efforts during a pandemic can inform decision-making and future preparedness—and allow for midcourse changes in response to early findings. However, in January 2021 we reported that COVID-19 data collected by HHS from states and other entities—which are critical to inform a robust, national response—are often incomplete and inconsistent, including data on the type and volume of testing.

To improve response to the current and future pandemics, we recommended that HHS use an expert committee to systematically review and inform the alignment of ongoing data collection and reporting standards for key health indicators. HHS partially concurred with this recommendation and agreed that it should establish a dedicated working group or other mechanism with a focus on addressing COVID-19 data collection shortcomings.

We have ongoing and planned work to continue to assess HHS’s leadership and coordination of the COVID-19 response, as well as its leadership and coordination of biodefense preparedness efforts, state and local preparedness efforts, and the medical product supply chain and Strategic National Stockpile, among other work. We will determine whether this issue should be added to the High-Risk List once we have completed this ongoing and planned work.

Strengthening Management of the Federal Prison System

With a fiscal year 2020 appropriation approaching $8 billion [12] and more than 37,000 staff, the Department of Justice’s (DOJ) Bureau of Prisons (BOP) is responsible for the care, custody, and rehabilitation of about 154,000 federal inmates—nearly half of whom are incarcerated for federal drug offenses.

Since 2010, we have published 19 prison-related reports and made 39 recommendations to BOP. We made 19 of the 39 recommendations in the last 5 years, and 16 of these recommendations have not yet been addressed. Our work has shown that BOP’s deficiencies can generally be categorized into three themes: (1) inadequate management of staff and resources, (2) inadequate planning for new programs or initiatives that help inmates prepare for a successful return to the community, including drug treatment programs; and (3) insufficient monitoring and evaluation of these inmate programs, which has led to imprudent spending.

Furthermore, BOP has experienced significant leadership instability, with the turnover of five different acting or permanent directors from 2016 through 2020. We also have found that many of BOP’s program evaluations are almost 20 years old and that outdated or limited program evaluation has hampered BOP’s ability to gauge the benefits of its efforts.

Congressional concerns have been raised about BOP’s management and performance. In 2014, the Consolidated Appropriations Act, 2014, appropriated funds for a task force to improve federal corrections, and, in December 2018, the First Step Act of 2018 was enacted. [13] The act directs BOP to address many of the same areas that the task force recommended in 2016, including developing an assessment system to gauge inmates’ risk of future criminal behavior and identify their program needs to reduce the likelihood of their return to prison following release. [14] Further, in July 2020, the U.S. House of Representatives formed the bipartisan Bureau of Prisons Reform Caucus, which aims to improve the communication, transparency, and efficiency of the BOP.

Among our ongoing and planned studies reviewing BOP’s management and operations, our work to assess BOP’s implementation of the First Step Act of 2018 will be critical to determining BOPs progress in enhancing inmate programs and reducing recidivism. As the primary agency responsible for the safety, care, and rehabilitation of individuals sentenced for committing federal crimes, BOP must demonstrate leadership commitment, capacity, and action planning.

Such actions will ensure efficient management of its staff and resources and enhance planning and evaluation of key programs that help inmates prepare for a successful return to the community. We will determine whether strengthening management of the federal prison system should be added to the High-Risk List based on BOP’s implementation of the First Step Act of 2018 and once our relevant assessments are complete.

High-Risk Areas Have Made Limited Progress Overall

Agencies demonstrate progress by addressing our five criteria for removal from the list: leadership commitment, capacity, action plan, monitoring, and demonstrated progress. [15] As shown in table 1, only 14 of the high-risk areas, or fewer than half, have met one or more of the five criteria for removal from the High-Risk List.

Compared with our last assessment, seven high-risk areas showed progress in one or more of the five criteria. Five areas declined since 2019. These changes are indicated by the up and down arrows in table 1.
Table 1: 2021 High-Risk Areas Rated against Five Criteria for Removal from GAO’s High-Risk List

Number of criteria

High-risk area

Change since 2019

Met

Partially met

Not met

DOD Support Infrastructure Management

5

0

0

NASA Acquisition Management

3

2

0

Managing Federal Real Property a

2

3

0

DOD Financial Management

1

4

0

Government-wide Personnel Security Clearance Process

1

4

0

Managing Risks and Improving VA Health Care

0

3

2

DOE’s Contract and Project Management for the National Nuclear Security Administration and Office of Environmental Management

0

5

0

USPS Financial Viability

1

2

2

Decennial Census

0

5

0

Ensuring the Cybersecurity of the Nation

0

5

0

Strategic Human Capital Management

0

4

1

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

0

4

1

Strengthening Department of Homeland Security Management Functions

3

2

0

Medicare Program & Improper Payments b

2

3

0

DOD Contract Management a

1

4

0

DOD Weapon Systems Acquisition

1

4

0

Enforcement of Tax Laws

1

4

0

Improving the Management of IT Acquisitions and Operations

1

4

0

Protecting Public Health through Enhanced Oversight of Medical Products

1

4

0

DOD Approach to Business Transformation

1

4

0

DOD Business Systems Modernization

0

5

0

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

0

5

0

Improving and Modernizing Federal Disability Programs

0

5

0

Improving Federal Management of Programs that Serve Tribes and Their Members

0

5

0

Management of Federal Oil and Gas Resources a

0

5

0

Modernizing the U.S. Financial Regulatory System

0

5

0

National Flood Insurance Program

0

5

0

Strengthening Medicaid Program Integrity

0

5

0

Resolving the Federal Role in Housing Finance

0

4

1

Improving Federal Oversight of Food Safety

0

3

2

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

0

3

2

U.S. Government’s Environmental Liability

0

1

4

VA Acquisition Management c

n/a

0

2

3

Funding the Nation’s Surface Transportation System d

n/a

n/a

n/a

n/a

Pension Benefit Guaranty Corporation Insurance Programs d

n/a

n/a

n/a

n/a

National Efforts to Prevent, Respond to, and Recover from Drug Misuse e

n/a

n/a

n/a

n/a

Emergency Loans for Small Businesses e

n/a

n/a

n/a

n/a
Legend:
: area progressed on one or more criteria since 2019
: area declined on one or more criteria since 2019
●: no change in rating since 2019
n/a: not applicable
Source: GAO. | GAO-21-119SP

aRatings for a segment within this high-risk area improved sufficiently that the segment was removed.
bMedicare Program & Improper Payments was only rated on Improper Payments; we did not rate other elements of the Medicare program because the area is subject to frequent legislative updates and the program is in a state of transition.
cOne area is receiving ratings for the first time because it was newly added in 2019.
dTwo high-risk areas are not rated because addressing them primarily involves congressional action.
eTwo high-risk areas are not rated because they are newly added in 2021.

Figure 3 shows changes since our 2019 update in ratings on the five criteria for removal from the High-Risk List. For example, on leadership commitment, one area improved, while three regressed.

Figure 3: High-Risk Areas’ Progress and Regress on High-Risk Criteria Since 2019

Leadership Attention Needed to Meet High-Risk Criteria

Table 2 shows that only 12 of 33 high-risk areas we rated have met the leadership commitment criterion. Three high-risk area ratings regressed on leadership commitment from met to partially met since our last report. [16]

Leadership commitment is the critical element for initiating and sustaining progress, and leaders provide needed support and accountability for managing risks. Leadership commitment is the foundation for progress on the other four high-risk criteria. For example, leadership commitment to develop action plans that address the root causes of problems leads to progress on high-risk areas because action plans establish the basis for effective monitoring which leads to demonstrated progress.

Table 2 shows that only two high-risk areas met the criterion for capacity, five met the criterion for action plan, four met the criterion for monitoring, and one met the criterion for demonstrated progress
Table 2: 2021 High-Risk Area Ratings on Five Criteria for Removal from GAO’s High-Risk List

High-risk area

Criteria

Leadership commitment

Capacity

Action plan

Monitoring

Demonstrated progress

DOD Support Infrastructure Management

NASA Acquisition Management

Strengthening Department of Homeland Security Management Functions

Managing Federal Real Property

Medicare Program & Improper Payments a

DOD Contract Management

DOD Weapon Systems Acquisition

Enforcement of Tax Laws

Improving the Management of IT Acquisitions and Operations

Protecting Public Health through Enhanced Oversight of Medical Products

DOD Financial Management

Government-wide Personnel Security Clearance Process

DOD Approach to Business Transformation

USPS Financial Viability

Decennial Census

DOD Business Systems Modernization

DOE’s Contract and Project Management for the National Nuclear Security Administration and Office of Environmental Management

Ensuring the Cybersecurity of the Nation

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Improving and Modernizing Federal Disability Programs

Improving Federal Management of Programs that Serve Tribes and Their Members

Management of Federal Oil and Gas Resources

Modernizing the U.S. Financial Regulatory System

National Flood Insurance Program

Strengthening Medicaid Program Integrity

Resolving the Federal Role in Housing Finance

Strategic Human Capital Management

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

Improving Federal Oversight of Food Safety

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

Managing Risks and Improving VA Health Care

VA Acquisition Management

U.S. Government’s Environmental Liability

Legend: Met

Partially Met

Not Met


Source: GAO. | GAO-21-119SP

Note: Two high-risk areas—Funding the Nation’s Surface Transportation System and Pension Benefit Guaranty Corporation Insurance Programs—did not receive ratings against the five high-risk criteria because progress would primarily involve congressional action. Emergency Loans for Small Businesses and National Efforts to Prevent, Respond to, and Recover from Drug Misuse were not yet rated due to their new inclusion on the High-Risk List in 2021.
aMedicare Program & Improper Payments was only rated on Improper Payments, and we did not rate other elements of the Medicare program.

Progress in High-Risk Areas

As noted, seven areas showed improvement in one or more criterion. One area showed sufficient progress to be removed from the High-Risk List. The other six high-risk areas remain on the 2021 list and are described below. In addition, as described below, three high-risk areas, Managing Federal Real Property, DOD Contract Management, and the Management of Federal Oil and Gas Resources, showed sufficient progress within individual segments to remove those segments from the high-risk area. Appendix II provides additional detail on each of these areas.
  • National Aeronautics and Space Administration (NASA) Acquisition Management. The NASA Acquisition Management high-risk area ratings improved from partially met in 2019 to met in 2021 for the leadership commitment and monitoring criteria. Since 2019, NASA has demonstrated leadership commitment by taking steps to improve transparency and monitoring of major project cost and schedules. NASA also has instituted a process for monitoring progress and validating the effectiveness of its corrective action plan. NASA revised metrics such as reporting current cost and schedule performance against original baselines.
  • Managing Federal Real Property. The scope of the Managing Federal Real Property high-risk area is narrowing due to improvements since 2019. The Costly Leasing segment has met all five criteria and it therefore has been resolved as a high-risk issue. The General Services Administration (GSA) has taken steps to reduce its reliance on costly leases, improved monitoring efforts, and demonstrated quantifiable improvements in leasing amounts and costs. Further, all remaining segments have now fully met the criterion for action plan as GSA and the Federal Protective Service have finalized action plans in 2019 and 2020 designed to improve the security of federal facilities. More progress is needed among a range of federal agencies and their law enforcement partners to defend against ever changing threats.
  • DOD Financial Management. The rating for the demonstrated progress criterion within the DOD Financial Management high-risk area improved from not met in 2019 to partially met in 2021. Specifically, DOD completed its third entity-wide financial statement audit and implemented corrective actions that enabled auditors to close 623 (26 percent) of the audit findings issued in fiscal year 2018. DOD also developed performance metrics to assess its progress on audit remediation priority areas.
  • Government-wide Personnel Security Process. The Government-wide Personnel Security Process high-risk area improved from a not met rating in 2019 to a partially met rating in 2021 for the action plan criterion. This is because the Office of the Director of National Intelligence (ODNI), the Office of Personnel Management (OPM), and DOD adopted some action plans to reduce the backlog of investigations and to transfer the legacy IT systems that support the background investigation process from OPM to DOD.
  • Managing Risks and Improving Department of Veterans Affairs (VA) Health Care. The Managing Risks and Improving VA Health Care high-risk area improved from a not met rating in 2019 to a partially met rating in 2021 for the capacity criterion due, in part, to the initiatives VA has maintained and the resources it has allocated to strategic planning and other efforts. While VA’s efforts resulted in an improved capacity rating, it lacks a thoroughly developed action plan with the top leadership support needed to make progress against its high-risk designation.
  • DOE’s Contract and Project Management for the National Nuclear Security Administration (NNSA) and Office of Environmental Management (EM). Since 2019, the Department of Energy’s (DOE) Contract and Project Management for the NNSA and EM high-risk area progressed from a not met to a partially met rating for the capacity criterion. Both NNSA and EM have taken actions to improve their capacities for managing their contracts and projects, such as (1) NNSA requesting and receiving an increase in its number of federal positions to address critical unmet staffing needs; and (2) EM launching its Acquisition Corps initiative in July 2020 to hire and train additional staff to evaluate bids for EM contract awards.
  • DOD Contract Management. The DOD Contract Management high-risk area is narrowing due to improvements since 2019, resulting in the removal of the Acquisition Workforce segment for which it has met all five criteria. We have removed the segment because DOD has significantly rebuilt its acquisition workforce as measured by the number of personnel in acquisition career fields, their experience level, education level, and training certification.

    The two remaining segments, Service Acquisitions and Operational Contract Support, continue to meet the criterion for leadership commitment but work remains. For example, for Service Acquisitions, DOD needs to issue and implement enhanced budget planning guidance. For Operational Contract Support, DOD needs to address identified capability shortfalls.
  • Management of Federal Oil and Gas Resources. The Management of Federal Oil and Gas Resources high-risk area is narrowing in scope to remove one segment where progress has been made to resolve long-standing deficiencies—Restructuring of Offshore Oil and Gas Oversight. The Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) made progress to address problems in the bureau’s investigative, environmental compliance, and enforcement capabilities, and implemented strategic initiatives to improve offshore oversight and internal management.

    Specifically, BSEE led a change management initiative, encompassing more than 180 actions, to reform offshore oil and gas oversight. For each action, BSEE identified specific steps, completion target dates, and parties responsible. Further, BSEE held regular status updates and developed a performance management dashboard to better enable the bureau to assess and address the efficacy of its reforms.

    The removal of the Restructuring of Offshore Oil and Gas Oversight segment represents important progress. However, the remaining segments of the high-risk area—Revenue Determination and Collection and Human Capital—regressed since 2019 on one or more criterion.

Congressional Action Aided Progress on High-Risk Issues

Congress enacted several laws in recent years to help make progress on high-risk issues. Table 3 lists selected examples of congressional actions taken on high-risk areas.
Table 3: Examples of Congressional Actions Taken on High-Risk Areas

High-risk area

Congressional actions taken

How GAO work contributed to congressional actions

Impact on high-risk area

Improving and Modernizing Federal Disability Programs

The Veterans Appeals Improvement and Modernization Act of 2017 replaced the former appeals process with one that gives veterans various options to have their claim reviewed further by the Veterans Benefits Administration (VBA) or to bypass VBA and appeal directly to the Board of Veterans’ Appeals. The act also required the Department of Veterans Affairs (VA) to submit a comprehensive plan for implementing the new appeals process. a

The act included a provision for GAO to assess VA’s appeals plan, including whether the plan comports with sound planning practices and/or contains gaps. b Subsequently, we participated in several House Committee on Veterans’ Affairs roundtables in 2017 and 2018 and issued several products associated with our assessment of VA’s appeals plan between 2018 and 2020.

VA implemented the requirements of the 2017 legislation in 2019 by streamlining its disabilities appeals process. (Capacity)

Enforcement of Tax Laws

Section 1101 of the Taxpayer First Act required the Internal Revenue Service (IRS) to develop a customer service strategy, and section 2301 of the act allowed IRS to lower the electronic filing threshold for filers that file 100 or more information returns in 2021 or 10 or more in subsequent years. c

We reported in September 2020 that IRS did not have performance goals and related measures for improving the taxpayer experience.

IRS planned to identify performance goals, measures, and targets as part of its January 2021 report to Congress. We are reviewing the new report to determine the extent to which it addresses our prior recommendations. (Action plan)

Expanded electronic-filing will help IRS identify which returns would be most productive to examine. (Monitoring)

Improving the Management of Information Technology (IT) Acquisitions and Operations

Subtitle G of title X of the National Defense Authorization Act for Fiscal Year 2018 (2018 NDAA) established a Technology Modernization Fund and Board and allowed agencies to establish agency IT system modernization and working capital funds. d

We identified the need to better manage the billions of dollars the federal government spends annually on legacy IT when we added this area to the High-Risk List in 2015. We further examined the government’s heavy reliance on legacy IT systems in our 2016 report.

The 2018 NDAA provisions (1) allowed agencies to establish working capital funds for use in transitioning away from legacy IT systems and (2) created a technology modernization fund to help agencies retire and replace legacy systems, as well as acquire or develop new systems. (Capacity)

Government-wide Personnel Security Clearance Process

Section 925 of the 2018 NDAA requires the Director of National Intelligence, in coordination with the Chair and other principals of the Security, Suitability, and Credentialing Performance Accountability Council, to provide an annual report including a discussion of any impediments to the timely processing of personnel security clearances. e

The 2017 passage of the 2018 NDAA is consistent with our December 2017 report, in which we asked Congress to consider both reinstating and adding to the requirement in the Intelligence Reform and Terrorism Prevention Act of 2004 for the executive branch to report to appropriate congressional committees annually on its background investigation process.

Annual assessments will help Congress monitor the timeliness of the executive branch’s background investigations, in addition to helping the executive branch monitor its own timeliness. The act requires the executive branch to report the length of time for initiating and conducting investigations and finalizing adjudications, as well as case load composition and costs, among other matters deemed relevant by Congress. (Monitoring)

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

Section 1234 of the Disaster Recovery Reform Act of 2018 (DRRA) allows the President to set aside, with respect to each major disaster, a percentage of certain grants to use for pre-disaster hazard mitigation. Section 1206 makes federal assistance available to state and local governments for building code administration and enforcement. f

We found that federal investments in resilience could be more effective if post-disaster hazard mitigation efforts were balanced with resources for pre-disaster hazard mitigation, as part of a comprehensive resilience investment strategy. We also found that enhancing state and local disaster resilience could help reduce federal fiscal exposure.

As a result of DRRA, in August 2020, the Federal Emergency Management Agency established the Building Resilient Infrastructure and Communities grant programs to support pre-disaster investment in community resilience efforts and has begun accepting applications. (Capacity)

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Section 1049 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (2019 NDAA) requires DOD to establish and maintain a list of acquisition programs, technologies, manufacturing capabilities, and research areas that are critical for maintaining the national security technological advantage of the United States over foreign countries of special concern. g

Sections 1717(a) and 1721(b) of the Foreign Investment Risk Review Modernization Act of 2018 provides special hiring authorities for agencies that are members of the Committee on Foreign Investment in the U.S. and requires each member agency to submit detailed spending plans annually for 8 years to the appropriate congressional committees, including estimated staffing levels. h

Since 2007, we have identified the need to strengthen individual programs and activities for protecting critical technologies and called for better coordination across these programs.

In 2018, we found that the workload of the Committee on Foreign Investment in the U.S. increased by more than 50 percent between 2011 and 2016. We recommended that the Secretary of the Treasury, as the chair of the committee, work with member agencies to assess staffing needs.

The 2019 NDAA provisions allow for better understanding and communication of DOD’s critical programs and technologies. (Action plan)

The Foreign Investment Risk Review Modernization Act of 2018 provisions strengthen and modernize the activities of the Committee on Foreign Investment in the U.S., in part, by granting special hiring authorities. (Capacity)

Department of Defense (DOD) Approach to Business Transformation

Section 921 of the 2019 NDAA mandated DOD to prepare a report on defense business operations. i

We reported in November 2020 that in its January 2020 report, DOD addressed most of the key requirements of the 2019 NDAA, such as reporting the number of military and civilian personnel as well as the costs of required enterprise business activities.

DOD made some progress since 2019 in establishing valid and reliable cost baselines for its enterprise business operations and in documenting related cost savings. (Monitoring)
Source: GAO. | GAO-21-119SP

aPub. L. No. 115-55, §§ 2, 3, 131 Stat. 1105, 1105–1119 (2017).
bPub. L. No. 115-55, § 3(c), 131 Stat. at 1118–1119.
cPub. L. No. 116-25, §§ 1101, 2301, 133 Stat. 981, 985–986, 1012–1013 (2019), classified at 26 U.S.C. §§ 7804 note, 6011(e).
dPub. L. No. 115-91, §§ 1076–1078, 131 Stat. 1283, 1586–1594 (2017).
ePub. L. No. 115-91, § 925(k)(1)(F), 131 Stat. at 1530 (2017). The annual reporting requirement sunsets after December 31, 2021.
fFAA Reauthorization Act of 2018, Pub. L. No. 115-254, div. D, Disaster Recovery Reform Act of 2018, §§ 1206(a)(3), 1234(a)(5), 132 Stat. 3186, 3440, 3462 (2018), classified at 42 U.S.C. §§ 5170a(5), 5133(i).
gJohn S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 1049, 132 Stat. at 1961–1962.
hPub. L. No. 115-232, div. A, title XVII, subtitle A, §§ 1717(a), 1721(b), 132 Stat. at 2192–2193, 2202.
iPub. L. No. 115-232, § 921(a), 132 Stat. 1636, 1926–1927 (2018), codified at 10 U.S.C. § 132a(c)(1)(C).

Executive Branch Action on High-Risk Areas Produced Financial Benefits

Actions that agency leaders took to implement our recommendations in some high-risk areas resulted in significant financial benefits. Table 4 shows some examples of these benefits.
Table 4: Examples of GAO High-Risk Area Recommendations Leading to Financial Benefits

High-risk area

GAO recommendations leading to financial benefits

Financial benefits achieved

Department of Defense (DOD) Weapon Systems Acquisition

For two decades, our work has identified best practices that DOD could use to improve how it develops and acquires weapon systems. In 2006 and 2008, we found that DOD had taken positive steps by adopting a framework for applying best practices; however, these practices were not applied consistently and cost and schedule overruns persisted. Subsequently, the Weapon Systems Acquisition Reform Act of 2009 sought to improve the way DOD acquires major weapon systems and incorporated many of our related recommendations.

In 2016 and 2018, we found that (1) selected programs started after the act’s implementation had less cost growth than those begun prior to the act, and (2) the majority of more recent programs were using best practices we had long recommended. In 2019, we identified a cost avoidance totaling $136 billion in procurement funding DOD realized from 2013 to 2018 after reforming business case and cost estimate practices.

Strengthening Medicaid Program Integrity

In multiple reports, we found that demonstration spending limits approved by the Department of Health and Human Services (HHS) often were not budget neutral, as required by HHS policy. This increased the federal government’s fiscal liability by billions of dollars. We recommended that HHS better ensure that valid methods are used to determine spending limits.

HHS responded by limiting the amount of unspent funds states may accrue and reducing the federal government’s fiscal liability. As a result, HHS was able to identify a total of $56.1 billion in financial benefits for fiscal years 2018 and 2019.

Improving the Management of Information Technology (IT) Acquisitions and Operations

In multiple reports, we made recommendations for improving the management of IT portfolios, which resulted in reduced agency commodity IT spending and fewer duplicative investments.

Agencies have achieved about $2.7 billion in savings from fiscal years 2012 to 2018 through the Office of Management and Budget’s PortfolioStat, which was intended to consolidate and eliminate duplicative systems. Agencies have the potential to achieve more than $3 billion in additional savings.

Enforcement of Tax Laws

We found in 2014 that IRS could help address identity theft tax refund fraud by matching wage information that employers report on the W-2 tax form to individuals’ tax returns before issuing refunds. However, employers’ wage data were not available until months after IRS issued most refunds. We recommended IRS assess the costs and benefits of accelerating W-2 deadlines and report this information to Congress. IRS reported to Congress in 2015, and the deadline for employers to file W-2s was advanced in a statute, effective beginning in 2017. a

In response to the accelerated deadline, IRS enhanced its fraud and noncompliance detection tools. IRS’s actions have enabled it to avoid paying invalid refunds. We determined that IRS saved about $1.8 billion in fiscal years 2017 and 2018 from using W-2 information to prevent the issuance of invalid refunds.
Source: GAO. | GAO-21-119SP

aPub. L. No. 116-25, § 2301, 133 Stat. 981, 1012–1013 (2019), classified at 26 U.S.C. § 6011(e).

High-Risk Areas Needing Significant Attention

In the 2 years since our last High-Risk Report, five areas—the U. S. Postal Service’s (USPS) Financial Viability, Decennial Census, Ensuring the Cybersecurity of the Nation, Strategic Human Capital Management, and Transforming the Environmental Protection Agency’s (EPA) Process for Assessing and Controlling Toxic Chemicals—have regressed in their ratings against our criteria for removal from the High-Risk List.

Five High-Risk Areas That Regressed

USPS Financial Viability

The USPS Financial Viability high-risk area declined from a partially met rating in 2019 to a not met rating in 2021 for the criterion of capacity. This regression is due to USPS’s business model not being financially sustainable. USPS expenses exceeded revenues by $18 billion in fiscal years 2019 and 2020 as its labor compensation costs continued to increase while the volume of its most profitable mail products continued to decline.

Decennial Census

The Census high-risk area declined from a met rating in 2019 to a partially met rating in 2021 for the leadership commitment criterion. This regression is because the Department of Commerce requested that the U.S. Census Bureau (Bureau) shorten data collection time frames and response processing of census data in an effort to meet the apportionment deadline of December 31, 2020, even though COVID-19 had forced the Bureau to pause field data collection operations for approximately 3 months. Compressing the time frame to collect data and process responses has increased the risk of compromised data quality.

Ensuring the Cybersecurity of the Nation

The Ensuring the Cybersecurity of the Nation high-risk area declined from a met rating in 2019 to a partially met rating in 2021 for the criterion of leadership commitment. This regression is due to missing (1) important characteristics of a national strategy in the White House’s September 2018 National Cyber Strategy and the National Security Council’s accompanying June 2019 Implementation Plan and (2) an officially appointed central leader for coordinating the execution of the White House’s approach to managing the nation’s cybersecurity. Such a position was established by statute in January 2021. [17] As of mid-January 2021, the position had not yet been filled.

Strategic Human Capital Management

The Strategic Human Capital Management high-risk area declined from a met rating in 2019 to a partially met rating in 2021 for the leadership commitment criterion. This regression is due to the absence of Senate-confirmed leadership at OPM for 18 of the last 24 months, as of January 2021. As a result, the federal government has lacked the attention from the highest levels needed to address long-standing and emerging skills gaps.

Mission-critical skills gaps both within federal agencies and across the federal workforce impede the government from effectively serving the public and achieving results. Skills gaps caused by insufficient number of staff, inadequate workforce planning, and a lack of training in critical skills are contributing to our designating 22 of the 35 other areas as high risk.

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

The Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals high-risk area declined in the monitoring criterion from a partially met rating in 2019 to a not met rating in 2021; three criteria in each of the two segments declined to a not met rating in 2021. The Integrated Risk Information System (IRIS) Program did not issue a completed chemical assessment between August 2018 and December 2020, and EPA (1) did not indicate how it was monitoring its assessment nomination process to ensure it was generating quality information about chemical assessment needs; and (2) lacked implementation steps and resource information in its strategic plan and metrics to define progress in the IRIS Program.

Additionally, EPA’s programs supporting the Toxic Substances Control Act (TSCA) (1) did not complete workforce or workload planning to ensure the agency can meet TSCA deadlines; and (2) did not meet initial statutory deadlines for releasing its first 10 chemical risk evaluations.

Additional High-Risk Areas That Need Significant Attention

While progress is needed across all high-risk areas, we have identified four additional areas that require significant attention to address imminent, long-standing, or particularly broad issues affecting the nation or where agencies have stalled in their efforts to make progress to address outstanding issues. See appendix II for additional detail on these high-risk areas, including more details on actions that need to be taken.

Improving the Management of IT Acquisitions and Operations

The federal government currently invests more than $90 billion annually in IT, and the Improving the Management of IT Acquisitions and Operations high-risk area continues to face significant challenges. These challenges include (1) 21 of 24 major federal agencies not modifying their practices to fully address the role of their chief information officers; (2) agencies not documenting modernization plans or not including key elements identified in best practices in their plans; (3) agencies needing to take further action to reduce duplicative IT contracts; (4) GSA and OMB having fewer funds available than anticipated to award to new projects for replacing aging IT systems; and (5) agencies not implementing our remaining 400 open recommendations related to this high-risk area.

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

Climate change poses risks to many environmental and economic systems and creates a significant fiscal risk to the federal government. Since our 2019 High-Risk Report, the federal government has not made measurable progress to reduce its fiscal exposure to climate change; therefore, this high-risk area warrants significant attention. Specifically, the federal government needs to, among other things, (1) lead the development of a national climate strategic plan; (2) establish an entity to prioritize national-scale climate resilience projects; (3) develop a national climate information system; (4) make structural changes to the flood and crop insurance programs; and (5) establish a pilot program for community climate migration.

U.S. Government’s Environmental Liability

For fiscal year 2020, DOE’s estimated environmental liability was $512 billion. While DOE is responsible for the largest share of the environmental liability, DOD has the second largest share with $75 billion for fiscal year 2020. The U.S. Government’s Environmental Liability high-risk area warrants significant attention as it has received not met ratings for four of the five high-risk criteria—capacity, action plan, monitoring, and demonstrated progress—in both the 2019 and 2021 High-Risk Reports.

For example, although DOE’s Office of Environmental Management developed a strategic vision in 2020 for the next decade of cleanup activities, it has not developed a strategic plan that incorporates the principles of risk-informed decision-making. Further, in November 2020, the DOD Inspector General found that DOD is unable to develop accurate estimates and account for environmental liabilities in accordance with accounting practices.

Improving Federal Oversight of Food Safety

The Improving Federal Oversight of Food Safety high-risk area warrants significant attention as federal agencies have not developed a national plan or strategy for food safety that would help identify needed resources and responsible agencies. Specifically, Congress has not directed OMB to develop a government-wide performance plan for food safety to address our December 2014 matter.

In addition, the previous administration did not take action to develop such a plan or to address our January 2017 recommendation to develop a national strategy for food safety. The federal food safety agencies would benefit from a centralized collaborative mechanism on food safety, a mechanism that has not been in place for 10 years.

Closing 


Our high-risk program continues to be a top priority at GAO and we will maintain our emphasis on identifying high-risk issues across government and on providing recommendations and sustained attention to help address them, by working collaboratively with Congress, agency leaders, and OMB.

As part of this effort, OMB’s role is especially important because many high-risk areas are government-wide or involve multiple agencies. Also, there are resource investments associated with correcting a number of the high-risk problems. We hope OMB will resume regular meetings with the OMB Deputy Director for Management, top agency leaders, and GAO to discuss progress in addressing each of the individual high-risk areas. In recent years OMB has largely discontinued this practice. We hope that these sessions can be resumed because they have in the past led to greater progress on high-risk issues.

We are providing this update to the President and Vice President, congressional leadership, other Members of Congress, OMB, and the heads of major departments and agencies.

Gene L. Dodaro
Comptroller General
of the United States

Congressional Addressees

The Honorable Gary C. Peters
Chairman
The Honorable Rob Portman
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable Carolyn B. Maloney
Chairwoman
The Honorable James Comer
Ranking Member
Committee on Oversight and Reform
House of Representatives

Appendixes and Enclosures 


IN THIS SECTION


Appendix I: Background

What Is the History of the High-Risk Program?

In 1990, we began a program to report on government operations that we identified as “high risk.” Since then, generally coinciding with the start of each new Congress, we have reported on the status of progress addressing high-risk areas and have updated the High-Risk List. Our last high-risk update was in March 2019. [18] That update identified 35 high-risk areas. This year, we added two high-risk areas—National Efforts to Prevent, Respond to, and Recover from Drug Misuse and Emergency Loans for Small Businesses—and removed one—DOD Support Infrastructure Management.

Overall, this program has served to identify and help resolve serious weaknesses in areas that involve substantial resources and provide critical services to the public. Since our program began, the federal government has taken high-risk problems seriously and has made long-needed progress toward correcting them. In a number of cases, progress has been sufficient for us to remove the high-risk designation. A summary of changes to our High-Risk List over the past 29 years is shown in table 5. This 2021 update identifies 36 high-risk areas.
Table 5: Changes to the High-Risk List, 1990-2021

Number of areas

Original High-Risk List in 1990

14

High-risk areas added since 1990

50

High-risk areas removed since 1990

27

High-risk area separated out from existing area

1

High-risk areas consolidated since 1990

2

High-Risk List in 2021

36
Source: GAO. | GAO-21-119SP

How Can Agencies Use the Criteria to Make Progress on High-Risk Issues?

The five high-risk criteria form a road map for efforts to improve and ultimately address high-risk issues. Addressing some of the criteria leads to progress, while satisfying all of the criteria is central to removal from the list.

In April 2016, we reported on how agencies had made progress addressing high-risk issues. [19] We provided illustrative actions that agencies took that led to progress or removal from our High-Risk List. This information provides additional guidance to agencies whose programs are on the High-Risk List.

Figure 4 shows the five criteria and illustrative actions taken by agencies to address the criteria as cited in that report. Importantly, the actions listed are not “stand alone” efforts taken in isolation from other actions to address high-risk issues. That is, actions taken under one criterion may be important to meeting other criteria as well. For example, top leadership can demonstrate its commitment by establishing a corrective action plan including long-term priorities and goals to address the high-risk issue and using data to gauge progress—actions which are also vital to monitoring criteria.

Figure 4: Criteria for Removal from the High-Risk List and Examples of Actions Leading to Progres

What Is the History of Programs Removed from the High-Risk List?

A summary of areas removed from our High-Risk List over the past 31 years is shown in figure 5.

Figure 5: History of Areas Removed from the High-Risk List

When Were Areas Added to the High-Risk List?

The areas on our 2021 High-Risk List, and the year each was designated as high risk, are shown in figure 6.

Figure 6: History of Areas Added to the High-Risk List, by Year

Appendix II: Overview for Each High-Risk Area

The following pages provide overviews of the 36 high-risk areas on our updated list, as well as one high-risk area that we are removing from the list. Each overview discusses (1) why the area is high risk, (2) the actions that have been taken and that are under way to address the problem since our last update in 2019, and (3) what remains to be done. Each of these high-risk areas is also described on our High-Risk List website, http://www.gao.gov/highrisk/overview.

DOD Support Infrastructure Management

We are removing this high-risk area because the Department of Defense (DOD) has made sufficient progress on the remaining seven actions and outcomes we recommended for improving this critical area. DOD leadership commitment contributed to this successful outcome.

Why Area Was High Risk

DOD manages a portfolio of real property assets that, as of November 2019, reportedly included about 573,000 facilities—including barracks, maintenance depots, commissaries, and office buildings. According to DOD estimates, the combined replacement value of this portfolio is about $1.3 trillion and includes about 26 million acres of land at more than 4,500 sites worldwide. This infrastructure is critical to maintaining military readiness. The cost to build and maintain this infrastructure represents a significant financial commitment.

DOD Support Infrastructure Management has been on our High- Risk List since 1997 because of challenges DOD faced in reducing excess infrastructure, more efficiently using underutilized facilities, and reducing base support costs.

DOD has used the BRAC process primarily to reduce excess infrastructure, readjust bases to accommodate changes in the size and structure of DOD’s forces, and produce cost savings. Since 1988, Congress has authorized five BRAC rounds, most recently in 2005. Based on our analysis of the 2005 BRAC round, we found that opportunities existed for DOD and Congress to improve future BRAC rounds.

Contact Information

For additional information about this high-risk area, contact Elizabeth Field at (202) 512-2775 or fielde1@gao.gov.

From 2017 to 2019, we identified 16 actions and outcomes DOD needed to implement for its support infrastructure management to be removed from the High-Risk List. In our 2019 High-Risk Report, we reported that DOD had made progress addressing nine actions and met the criteria of leadership commitment and action plan.

We are removing DOD Support Infrastructure Management from the High-Risk List because DOD has met the remaining three criteria (capacity, monitoring, and demonstrated progress) by addressing the outstanding seven actions and outcomes identified in our 2019 High-Risk Report.

Leadership commitment: met. DOD senior leaders continued to demonstrate commitment to improving the department’s support infrastructure management. In our 2019 High-Risk Report, we reported that DOD had committed to actions such as (1) pursuing efforts to relocate from costly commercial leased space to nearby installations when possible, and (2) requesting Base Realignment and Closure (BRAC) rounds to address excess capacity between 2013 and 2017, which Congress did not authorize.

Additionally, in October 2019, the Assistant Secretary of Defense for Sustainment formally committed to implementing our remaining recommendations related to future BRAC rounds, which they had previously been unwilling to do. Specifically, for any future BRAC rounds authorized by Congress, DOD agreed to fully identify the cost requirements for military construction, information technology, relocating personnel and equipment, and alternatively financed projects, and to limit the practice of bundling multiple stand-alone BRAC realignments or closures into single recommendations.

DOD further agreed to improve the accuracy of its excess capacity estimates by reliably updating the baseline and using reasonable assumptions for estimating excess infrastructure capacity. DOD also agreed to develop guidance to improve its analysis and ensure consistency for future BRAC rounds.

This commitment addresses four of the seven actions from the 2019 High-Risk Report that we recommended to improve implementation of future BRAC rounds when authorized by Congress. It also shows that DOD leadership is dedicated to improving how it conducts the BRAC process—the primary method of disposing of excess infrastructure and aligning infrastructure to the needs of forces.

Capacity: met. DOD has further demonstrated its capacity to align infrastructure with DOD force structure needs and achieve efficiencies in base support services. In our previous two High-Risk Reports, we reported that DOD demonstrated capacity to align infrastructure with DOD force structure needs by disposing of excess infrastructure during past BRAC rounds. Further, we reported that DOD had consolidated some installation services at joint bases, among other efforts.

DOD continues to improve the accuracy and completeness of its real property data, thereby demonstrating increasing capacity. This addresses an additional action we recommended in the 2019 High-Risk Report. Doing so will help DOD better manage its facilities to meet force structure needs, such as by identifying excess space or utilizing space more effectively.

In previous High-Risk Reports, we noted a persistent problem with the accuracy and completeness of DOD’s real property data—in particular key data for identifying excess or underused space, like facility utilization. In November 2018, we reported that DOD and the military services have corrected some but not all identified discrepancies, such as missing entries for utilization in DOD’s Real Property Assets Database (RPAD). We recommended that DOD and the military services require monitoring of recording processes, implement corrective actions to resolve data discrepancies, and develop a strategy to address risks associated with real property data to improve incomplete and inaccurate real property data. DOD concurred with these recommendations and is implementing them.

Further, we reported in September 2020 that independent public accountants found significant control issues related to events that occur during the life cycle of real property, such as adding, disposing, valuing, and performing physical inventory counts. This finding was related to two of 25 material weaknesses found in a broader audit of DOD’s fiscal year 2019 financial statements. DOD Financial Management is a separate area on the High-Risk List reviewing DOD’s accounting and reporting of its spending and assets. These long-standing issues have prevented DOD from having auditable financial statements.

While DOD needs to take additional action to ensure RPAD contains complete and accurate data, the department has prioritized improving the data. This includes issuing new requirements and processes to improve data quality from 2018 that should help them further improve data quality moving forward.

For example, in 2020, DOD required the military services to use the Data Analytics and Integration Support (DAIS) system for reporting real property inventory data. According to DOD, this system will provide a common platform for DOD real property inventory, connecting individual military service real property systems to a web-based interface. DOD intends DAIS to replace the manual, annual data call to populate the Real Property Asset Database, which we have found contains inaccurate and incomplete data.

In addition, DOD has required military services to use its updated Verification and Validation (V&V) Tool, which checks whether the real property data in DAIS follow real property data quality standards and identifies any data anomalies or errors that need correction.

DOD has demonstrated that it has increasing capacity to put into place systems and processes that, over time, will improve the real property data needed to identify options to align its infrastructure to meet its force structure needs. However, as noted earlier, continued improvements are needed. Thus, while we are removing DOD support infrastructure from the High-Risk series, we will continue to closely monitor DOD’s efforts in this area—in particular as part of the Managing Federal Real Property high-risk area. This high-risk area looks at the efforts of both the Office of Management and Budget (OMB) and the General Services Administration to improve the reliability of information on federal real property government-wide. We will also monitor DOD’s efforts related to improving the accuracy and completeness of its real property data as part of the DOD Financial Management high-risk area mentioned above, which reviews issues with the accounting and reporting of DOD’s spending and assets.

Action plan: met. We reported in 2017 and 2019 that DOD had developed plans, such as its Real Property Efficiency Plan, to better identify excess infrastructure and thus be positioned to dispose of it. DOD issued its most recent version of the Real Property Efficiency Plan in September 2019. In addition to serving as DOD’s real property management plan, it also set the department’s targets for, among other things, reducing the amount of office and warehouse space it uses and the number of buildings it owns in fiscal years 2020 through 2024.

DOD also directed its joint bases in 2017 to stop using higher cost joint base common standards for installation services, and instead use the standards of the military service in charge of providing services at any given joint base. This would decrease the likelihood of increased base support costs.

DOD has also implemented recommendations we made in October 2018 to improve its use of intergovernmental support agreements. These are agreements between military installations and local governments to obtain installation services such as waste removal, grounds maintenance, and stray animal control. These improvements to its use of intergovernmental support agreements address another one of the actions we recommended in the 2019 High-Risk Report.

In October 2018, we reported that a sample of these agreements had resulted in cost savings and cost avoidances for the department. Since then, DOD has implemented our recommendations to monitor the benefits from intergovernmental support agreements and whether installations are evaluating opportunities to use those agreements to reduce costs. With these efforts in place, DOD will be better positioned to reduce base support costs, to identify and dispose of excess space, and to better use underutilized space.

Monitoring: met. Since the 2019 High-Risk Report, DOD has demonstrated improvements in monitoring its processes and systems to align its infrastructure to support its force structure needs and achieve efficiencies. In October 2019, DOD senior leaders committed to implementing our prior recommendations for any future BRAC rounds authorized by Congress.

For example, DOD has agreed to limit the practice of bundling multiple stand-alone realignments or closures into single BRAC recommendations. We reported in 2013 that such bundling did not itemize the costs and savings associated with each separate major action within the bundle. This limited visibility into the estimated costs and savings for individual closures and realignments.

The other recommendations DOD has agreed to implement in future BRAC rounds include fully identifying cost requirements for military construction, information technology, relocating personnel and equipment, and alternatively financed projects.

Additionally, DOD has committed to implementing recommendations we made from May 2018 to improve the accuracy of its excess capacity estimates for future BRAC rounds authorized by Congress. Specifically, the department has committed to (1) reliably update the baseline for estimating excess infrastructure capacity, (2) use reasonable assumptions in estimating excess capacity, and (3) develop guidance to improve its analysis and ensure consistency.

One of the actions recommended in our in 2019 High-Risk Report to improve monitoring was that DOD and the military services should better monitor their processes for recording real property information, develop corrective actions for data discrepancies, and develop a strategy to address risks associated with data. While DOD must continue to work to improve the accuracy and completeness of its real property data, its development of DAIS is expected to improve the monitoring of DOD’s real property, including better financial accounting, reporting, and estimation of infrastructure needs moving forward. Monitoring has also been supported in part by efforts to obtain data to improve DOD’s financial statements.

Further, the military services have since taken steps to implement the recommended action. For example, the Army developed a 5-year plan in 2019 to improve data quality and accountability, including directing physical inspections and record updates continuing through fiscal year 2023. As of September 2019, the Navy checked for existence of facilities—whether facilities listed in its records are in place—and checked for completeness of the data—whether facilities that are in place are listed in records. The Navy is continuing to correct any errors identified through its review and the Financial Improvement and Audit Remediation audit. While the most recent audit did not result in a clean opinion, the Navy’s continuing efforts to use the audit to correct and identify any errors demonstrates an improvement in its monitoring efforts. The Air Force began a data quality program in 2018 to improve its real property, with a goal of 100 percent accuracy by September 2023.

These efforts are ongoing and show that DOD is monitoring systems and processes to improve real property data and ultimately provide better visibility for aligning its infrastructure to support mission needs.

Demonstrated progress: met. In the last few years, DOD has demonstrated progress in aligning its infrastructure to its force structure needs by implementing actions to reduce excess infrastructure and achieve efficiencies in base support. In doing so, DOD has addressed all seven actions we recommended in 2019 to improve management of its support infrastructure.

As mentioned above, DOD addressed four of the seven actions by committing to improve its implementation of future BRAC rounds. Specifically, for future BRAC rounds authorized by Congress, DOD formally committed to fully identifying the cost requirements for military construction, information technology, relocating personnel and equipment, and alternatively financed projects, and limiting the practice of bundling multiple stand-alone BRAC realignments or closures into single recommendations.

DOD further agreed to improve the accuracy of its excess capacity estimates by reliably updating the baseline and using reasonable assumptions for estimating excess infrastructure capacity, as well as developing guidance to improve its analysis and ensure consistency.

DOD has further been working to more efficiently use underutilized installation space through reduction of leases. In its Real Property Efficiency Plan for fiscal years 2020 to 2024, DOD noted that the Army had been focusing on reducing its leases in the National Capital Region, which were among the Army’s most expensive leased inventory. Specifically, DOD reported that the Army reduced its leased footprint in the National Capital Region from a peak of 3.9 million square feet in 2011 to roughly 1 million square feet as of September 2019. The department also implemented recommendations we made to increase the use of intergovernmental support agreements to reduce the cost of installation support services. These actions address the fifth of seven actions we recommended in 2019 to improve support infrastructure management.

As stated above, DOD has also taken steps to improve its real property data to improve oversight and better inform decision-making about aligning infrastructure to mission needs. DOD has required the use of the DAIS platform and the V&V tool to better capture real property data and correct discrepancies. The military services have implemented plans and actions to prioritize and put into place efforts that will lead to a more complete and accurate set of information. While DOD needs to continue to improve the accuracy and completeness of its real property data, we believe that these address the sixth of the actions we had in the 2019 High-Risk Report.

The last remaining action we recommended in the 2019 High-Risk Report was for DOD to continue to assess its infrastructure needs in light of ongoing changes in force structure and work with Congress, as needed, to reduce any excess infrastructure.

DOD continues to be committed to reducing its excess and underutilized space and has addressed this last recommended action. Since 2013, for example, DOD has been reducing excess space as part of the European Infrastructure Consolidation program and continues to assess more reductions as DOD relocates servicemembers in Europe to align with current mission needs.

Further, when OMB began the Freeze the Footprint and the Reduce the Footprint programs (which restrict the growth of excess property by requiring disposal of existing property for each newly acquired property), DOD made significant contributions to overall footprint reduction results as the federal government’s largest property holder.

For example, in fiscal year 2016, DOD’s facility square footage reductions were 68 percent of the total government-wide office and warehouse reductions and 75 percent of other government-wide property reductions. DOD continues to update its Real Property Efficiency Plan to set targets for reducing the amount of office and warehouse space it uses and the number of buildings it owns in fiscal years 2020 through 2024.

The military services have continued to focus on aligning their infrastructure to meet mission needs. For example, the Army is using (1) the Facility Reduction Program to eliminate excess square footage through demolition; (2) the Enhanced Use Lease Authority to leverage underutilized property; and (3) the Return to Host Nation initiative to reduce excess at overseas locations. In January of 2019, the Air Force formalized its Infrastructure Investment Strategy to incentivize installation master planning, including directing a 5 percent reduction in the total Air Force facility footprint to better match its infrastructure to support its mission.

Monitoring after Removal from the High Risk List

DOD demonstrated commendable, sustained progress improving its support infrastructure management. However, this does not mean DOD has addressed all risk within this area. Most notably, DOD faces considerable challenges in ensuring it has accurate and complete real property data. We will continue to monitor DOD’s efforts as part of the Federal Real Property and DOD Financial Management high-risk areas. Moreover, it remains important that senior leaders continue their efforts to implement corrective actions to improve real property data, to continue to dispose of excess infrastructure, and to align infrastructure with the needs of the forces.

We will continue to conduct oversight of these and other support infrastructure management efforts at DOD.

Related GAO Products

Defense Real Property: DOD-Wide Strategy Needed to Address Control Issues and Improve Reliability of Records. GAO‑20‑615. Washington, D.C.: September 9, 2020.

Defense Real Property: DOD Needs to Take Additional Actions to Improve Management of Its Inventory Data. GAO‑19‑73. Washington, D.C.: November 13, 2018.

DOD Installation Services: Use of Intergovernmental Support Agreements Has Had Benefits, but Additional Information Would Inform Expansion. GAO‑19‑4. Washington, D.C.: October 23, 2018.

Defense Infrastructure: DOD Needs to Improve the Accuracy of Its Excess Capacity Estimates. GAO‑18‑230. Washington, D.C.: May 24, 2018.

Military Bases: Opportunities Exist to Improve Future Base Realignment and Closure Rounds. GAO‑13‑149. Washington, D.C.: March 7, 2013.

Strategic Human Capital Management

Skills gaps within the federal workforce persist despite the continuing efforts of the Office of Personnel Management and federal agencies.

Why Area Is High Risk

Mission-critical skills gaps both within federal agencies and across the federal workforce pose a high risk to the nation because they impede the government from cost effectively serving the public and achieving results. This area was added to the High-Risk List in 2001. Causes of these skills gaps vary; however, they are often due to a shortfall in one or more talent management activities such as robust workforce planning or training.

Skills gaps have been identified in government-wide occupations in fields such as science, technology, engineering, mathematics, cybersecurity, and acquisitions. Currently, OPM has stated that it is assisting agencies in addressing emerging workforce needs in the wake of the COVID-19 pandemic.

Contact Information

For additional information about this high-risk area, contact Michelle B. Rosenberg at (202) 512-6806 or rosenbergm@gao.gov.

Since our 2019 High-Risk List, the rating for one criterion—leadership commitment—declined from met to partially met. The other four criteria remain unchanged.

Leadership commitment: partially met. Since our last high-risk update in 2019, the Office of Personnel Management (OPM) has had three different directors, only one of whom was confirmed by the Senate. As of January 2021, OPM has been led by an acting director for 18 of the last 24 months. The absence of Senate-confirmed leadership meant the federal government lacked the attention from the highest levels needed to address longstanding and emerging skills gaps.

For example, OPM canceled its annual Human Capital Review meetings with agency officials for 2020. These meetings are used for agencies to report, among other things, their progress on closing skills gaps to OPM officials. According to OPM, these meetings were cancelled due to work demands related to the Coronavirus Disease 2019 (COVID-19) pandemic. OPM did hold weekly government-wide teleconferences to share information and strategies on current human capital challenges. However, the regulation-required annual Human Capital Reviews are important to show leadership’s commitment to addressing this issue and holding agencies accountable for taking action to close skills gaps.

While OPM has established an agency priority goal for fiscal years 2020 and 2021 to support agencies’ efforts to address skills gaps, mission-critical skills gaps are a root cause in high-risk areas across the government. Of the 35 other high-risk areas, skills gaps played a significant role in 22 areas.

Capacity: partially met. OPM continues to provide technical support and monitor the work of Federal Agency Skills Teams (FAST)—teams of subject matter experts and human capital management professionals established in most agencies to address their skills gaps.

Regarding government-wide skills gaps within science, technology, engineering, and mathematics (STEM) occupations, OPM officials stated they are initially focusing their efforts on addressing the shortage of cybersecurity professionals. Focusing on cybersecurity may help close this skills gap. However, there are STEM occupations that are critical to agencies’ missions—such as medical professionals and biomedical researchers—that also need to be addressed.

Action plan: partially met. As part of addressing the agency priority goal to address workforce needs, OPM is working to provide agencies with 48 different tools and flexibilities to mitigate skills gaps in 80 percent of identified high-risk, mission-critical occupations by September 2021. OPM has reported that, as of September 2020, it has made available 43 of the tools and flexibilities to assist agencies in mitigating skills gaps and is on track to provide the remaining five by the end of fiscal year 2021.

Since our 2019 report, OPM officials reported that FAST teams have improved the quality of agencies’ action plans for closing skills gaps by ensuring that they describe the root causes for the occupation’s skills gap, as well as outline the goals and strategies for addressing them.

While these individual action plans enable OPM and agencies to track progress toward closing agency-specific skills gaps, no similar action plan exists for closing government-wide skills gaps. Such a plan could provide greater transparency about OPM’s and agencies’ efforts to close the six government-wide skills gaps OPM originally identified in 2015.

Monitoring: partially met. OPM has improved its ability to monitor FAST teams’ efforts by developing a set of four common metrics to identify current and emerging skills gaps. OPM’s use of these metrics across all FAST teams implements our January 2015 recommendation that OPM create an approach for identifying and monitoring skills gaps across multiple agencies. However, as mentioned above, by reinstating the regulatory-required annual Human Capital Review meetings, OPM would provide agencies with more structure and accountability for progress on closing skills gaps.

Demonstrated progress: not met. The shortage of staff and the lack of skills among current staff occurs across multiple federal agencies and responsibilities. For example, due to a lack of workforce planning and skills, none of the 24 Chief Financial Officers (CFO) Act agencies have fully implemented best practices for information technology (IT) or cybersecurity workforce planning, including ensuring staff have the skills to address cybersecurity risks and challenges in areas such as industrial control systems supporting the electric grid and avionics cybersecurity.

Further, as noted, skills gaps caused by an insufficient number of staff, inadequate workforce planning, and a lack of training in critical skills are contributing to our designating 22 of the 35 other areas as high risk. The table below provides examples of the high-risk areas in which skills gaps played a role; the causes of these skills gaps are grouped into four broad categories—Skills, Staffing, Training, and Workforce Planning.
Table 6: Examples of Skills Gaps Related to High-Risk Areas

High-risk area

Examples of skills gaps and causes

Department Of Defense (DOD) Financial Management

Workforce Planning and Skills :. DOD acknowledges that workforce planning across the department is inconsistent, and it has difficulty competing with industry for financial management talent.

DOD Weapon Systems Acquisition

Staffing and Skills: Many major defense acquisition programs reported difficulty in hiring software development staff with the required expertise and in time to complete the required work.

Department of Energy’s (DOE) Contract and Project Management for the National Nuclear Security Administration (NNSA) and Office of Environmental Management

Workforce Planning and Staffing: DOE’s NNSA does not have a process to determine the number of acquisition professionals it needs to award and oversee contracts.

Enforcement of Tax Laws

Workforce Planning, Staffing, and Skills: The Internal Revenue Service (IRS) has not fully implemented strategic workforce planning initiatives which could help address the challenges of carrying out ongoing enforcement and taxpayer service programs. IRS also faces mission-critical gaps for enforcement staff to investigate underreporting and noncompliance.

Ensuring the Cybersecurity of the Nation

Workforce Planning and Skills: None of the 24 Chief Financial Officers (CFO) Act agencies have fully implemented best practices for information technology (IT) or cybersecurity workforce planning, including ensuring staff have the skills to address cybersecurity risks and challenges in areas such as industrial control systems supporting the electric grid and avionics cybersecurity.

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Staffing: The Department of the Treasury and DOD do not have the necessary workforce in place for handling the increasing workload of the Committee on Foreign Investment in the United States to identify and protect technologies critical to national interests.

Government-Wide Personnel Security Clearance Process

Workforce Planning: The Defense Counterintelligence and Security Agency has not developed a workforce plan that identifies the workforce required to meet demands for background investigations.

Improving and Modernizing Federal Disability Programs

Workforce Planning and Staffing: The Department of Veterans Affairs has not completed the hiring of medical officers and data analysts, (including those needed for making cost projections) and other planning efforts to ensure it has the capacity to comprehensively update its disability benefits eligibility criteria.

Improving Federal Management of Programs that Serve Tribes and Their Members

Workforce Planning: The Bureau of Indian Affairs needs to develop a workforce analysis to gauge workforce composition needs, assess gaps, prepare a workforce plan, and identify competencies for mission-critical occupations.

Improving the Management of IT Acquisitions and Operations

Workforce Planning and Skills: Twenty-one of the 24 CFO Act agencies have not implemented IT management policies that fully address the roles of their chief information officers which includes ensuring that program staff have the necessary knowledge and skills to effectively acquire IT. Progress in establishing key IT workforce planning processes is also lacking.

Management of Federal Oil and Gas Resources

Workforce Planning and Training: The Department of the Interior continues to experience challenges in workforce planning, including hiring, training, and retaining sufficient staff to oversee and manage oil and gas operations on federal lands and waters.

Managing Risks and Improving Department of Veterans Affairs (VA) Health Care

Training: VA has not developed an enterprise-wide annual training plan. VA also has not sufficiently trained compliance officers or independent auditors on reviewing disbursement agreements for its Graduate Medical Education program.

National Aeronautics and Space Administration (NASA) Acquisition Management

Staffing and Skills: The skill set required of NASA’s Schedule Analysts is in high demand and is a difficult position for which to recruit and retain talent, especially when competing with the private sector.

National Efforts to Prevent, Respond to, and Recover from Drug Misuse

Staffing: Availability of medical professionals and facilities for substance use disorders has not kept pace with needs.

Protecting Public Health through Enhanced Oversight of Medical Products

Staffing: The Food and Drug Administration’s (FDA) inspection of foreign drug manufacturing establishments decreased, in part, due to a lack of staff available to conduct inspections.

Resolving the Federal Role in Housing Finance

Workforce Planning: The Government National Mortgage Association (Ginnie Mae) relies heavily on contractors for many functions, but has not determined whether it has an optimal mix of contractor and in-house staff.

Strengthening the Department of Homeland Security Management Functions

Staffing and Skills: Criteria for appointing qualified staff to oversee acquisition programs are not being consistently applied.

Transforming the Environmental Protection Agency’s (EPA) Process for Assessing and Controlling Toxic Chemicals

Workforce Planning, Staffing, and Skills: EPA’s Office of Pollution Prevention and Toxics has neither completed a workforce nor a skills gap analysis to ensure it can meet agency deadlines.

U.S. Government's Environmental Liability

Workforce Planning and Staffing: Federal agencies have significant gaps in their ability to effectively address their portions of environmental liability, including backlogs of work that are greater than what can be done with available staff.

VA Acquisition Management

Training: Implementing a comprehensive and consistently offered Federal Supply Schedule training curriculum could enable VA to provide its staff with the tools and clarity needed to perform their roles and increase efficiency.
Source: GAO analysis. | GAO-21-119SP

Note: Two additional high-risk areas with skills gaps are Decennial Census and DOD Business Systems Modernization.

What Remains to Be Done

Over the years since we added this area to our High-Risk List, we have made numerous recommendations to OPM focused on this high-risk area and related human capital issues, 67 of which remain open as of November 2020. Additional progress could be made if OPM were to complete actions to implement open recommendations, such as:
  • examining ways to make the general schedule system’s design and implementation more consistent with the attributes of a modern, effective classification system; and
  • assessing information on agencies’ use of hiring authorities to identify opportunities to refine, consolidate, eliminate, or expand agency-specific hiring authorities to other agencies and implement changes where OPM is authorized.

Agencies also need to take action to address recommendations we have made regarding mission-critical skills gaps within their own workforces—a significant factor contributing to many high-risk areas. For example, FDA should address staffing challenges associated with conducting inspections of foreign drug manufacturers at an appropriate frequency—a situation that has been exacerbated by the COVID-19 pandemic. At EPA, officials need to carry out workforce planning efforts to ensure that the agency has the resources in place to conduct chemical risk evaluations and implement the Toxic Substances Control Act.

Related GAO Products

Public Health Preparedness: HHS Should Take Actions To Ensure It Has An Adequate Number Of Effectively Trained Emergency Responders. GAO‑20‑525. Washington, D.C.: June 18, 2020.

FEMA Disaster Workforce: Actions Needed to Address Deployment and Staff Development Challenges. GAO‑20‑360. Washington, D.C.: May 4, 2020.

Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities. GAO‑20‑129. Washington, D.C.: October 30, 2019.

Department Of Veterans Affairs: Improved Succession Planning Would Help Address Long-Standing Workforce Problems. GAO‑20‑15. Washington, D.C.: October 10, 2019.

Federal Workforce: Talent Management Strategies to Help Agencies Better Compete in a Tight Labor Market. GAO‑19‑723T. Washington, D.C.: September 25, 2019.

Defense Acquisition Workforce: DOD Increased Use of Human Capital Flexibilities but Could Improve Monitoring. GAO‑19‑509. Washington, D.C.: August 15, 2019.

Human Capital: Improving Federal Recruiting and Hiring Efforts. GAO‑19‑696T. Washington, D.C.: July 30, 2019.

Federal Hiring: OPM Needs to Improve Management and Oversight of Hiring Authorities. GAO‑16‑521. Washington, D.C.: August 2, 2016.

Federal Workforce: OPM and Agencies Need to Strengthen Efforts to Identify and Close Mission-Critical Skills Gaps. GAO‑15‑223. Washington, D.C.: January 30, 2015.

Human Capital: OPM Needs to Improve the Design, Management, and Oversight of the Federal Classification System. GAO‑14‑677. Washington, D.C.: July 31, 2014.

Managing Federal Real Property

The federal government could better manage its real property, or real estate, portfolio by effectively disposing of unneeded buildings, collecting reliable real property data, and improving the security of federal facilities.

Why Area Is High Risk

The federal government’s real estate portfolio is vast and diverse—including about 130,000 domestic civilian buildings as of fiscal year 2019 that cost billions of dollars annually to operate and maintain. Federal real property management was placed on the High-Risk List in 2003.

This year we have narrowed the scope of this issue by removing the costly leasing segment due to the federal government’s progress in reducing the number and costs of leases. However, federal agencies continue to face long-standing challenges in managing real property, including: (1) effectively disposing of excess and underutilized property, (2) collecting reliable real property data for decision-making, and (3) improving the security of federal facilities from possible attacks.

The Office of Management and Budget (OMB) and the General Services Administration (GSA) both provide guidance and support to agencies to help manage their real property.

OMB establishes federal policies and chairs the Federal Real Property Council (FRPC). GSA provides space for federal tenants and collects government-wide data on real property.

The Department of Homeland Security chaired Interagency Security Committee (ISC) sets facility security standards. In addition, its Federal Protective Service (FPS) protects about 9,000 federal buildings.

Contact Information

For additional information about this high-risk area, contact David Trimble at trimbled@gao.gov or (202) 512-2834.

Since our last high-risk update in March 2019, the federal government now meets the criterion for having an action plan. The federal government continues to meet the criterion of leadership commitment and continues to partially meet the criteria for capacity, monitoring, and demonstrated progress.

Since we added this area to our High-Risk List, we have made numerous recommendations related to this issue, 31 of which were added since the last high-risk update in March 2019. As of December 2020, 68 recommendations remain open.

The federal response to the Coronavirus Disease 2019 (COVID-19) pandemic may delay some planned actions, such as the development of a final, comprehensive national strategy guiding real property management. In addition, the federal government may face added challenges as a result of the pandemic, such as long-term changes in the amount and type of space it occupies.

These changes may, in turn, affect the amount of excess space the federal government possesses. In addition, the CARES Act provided $275 million to the Federal Buildings Fund for General Services Administration (GSA) to prevent, prepare for, and respond to the pandemic, which we summarized in our November 2020 CARES Act report GAO‑21‑191 on the federal government’s initial response to the pandemic.

Excess and Underutilized Property

The ratings for the excess and underutilized property segment remain unchanged since our 2019 High-Risk Report.

Leadership commitment: met. The Office of Management and Budget (OMB) continues to implement the 2015 National Strategy for the Efficient Use of the Real Property (national strategy) which identifies actions to reduce the size of the federal real property portfolio by prioritizing consolidation, co-location, and disposal actions. The national strategy is consistent with the 2015 Reduce the Footprint policy that required agencies to set goals for reducing unneeded space.

In May 2019, the Public Buildings Reform Board (the board) was sworn in and worked with OMB, GSA, and other federal agencies to collectively identify and recommend high-value properties for disposal under the Federal Assets Sale and Transfer Act (FASTA) of 2016. In January 2020, OMB approved the board’s list of 12 recommended high-value federal properties for disposal. According to board officials, the first round of high-value properties are set to be sold in 2021.

Capacity: partially met. In March 2020, OMB published an addendum to the national strategy but it does not fully address underlying challenges, such as budget limitations, that impede agencies’ capacity to dispose of or use real property better, a deficiency we noted in our 2019 high-risk update. According to an OMB official, as of August 2020, OMB had not yet drafted the planned comprehensive and final national strategy document, in part, because of the need to respond to COVID-19.

As a 6-year pilot program, FASTA increased the federal government’s capacity to dispose of unneeded federal real property by establishing an independent board and a process for identifying and disposing of unneeded federal buildings, among other things. However, in our January 2021 report GAO-21-233, we found that better documentation of the board’s process for evaluating and selecting disposal properties could help improve the process for future disposals.

Action plan: met. We noted in 2019 that OMB had, through Reduce the Footprint, established a government-wide action plan to (1) use property as efficiently as possible, and (2) reduce portfolios through annual reduction targets. Additionally, OMB’s November 2019 memorandum on the Implementation of Agency-wide Real Property Capital Planning requires agencies to develop an annual capital planning process document that addresses project prioritization between new assets and maintenance of existing assets. Agencies’ planning documents were originally due to OMB in August 2020 but that deadline has been postponed until 2021 due to COVID-19, according to an OMB official.

Monitoring: partially met. OMB and GSA continue to monitor progress in meeting space-reduction targets using the government-wide real property database called the Federal Real Property Profile (FRPP). However, the database is not yet sufficiently reliable to produce accurate results.

For example, OMB chose not to use the Department of Defense’s (DOD) real property data in reporting the last 2 years of results of the Reduce the Footprint policy (2018 and 2019) because the data were not sufficiently reliable. We reported in 2018 that weaknesses in the quality of DOD’s real property data result, in part, because DOD has not implemented a strategy to identify and address risks with accompanying schedules and performance metrics. As of February 2020, DOD estimated it could complete these actions by September 2023.

Demonstrated progress: partially met. The federal government has made uneven progress in implementing the Reduce the Footprint policy. While the federal government doubled its space reductions goal in fiscal year 2016 by reducing 11 million square feet of space, later results were mixed. The federal government failed to reach its reduction goals in fiscal years 2017 and 2019, and the 2019 reductions were the lowest since the effort began in 2016.

In fiscal year 2019, the federal government reduced about 566,000 square feet of space, less than half of any of the previous years’ reductions. While the board made progress by recommending a list of high-value properties for disposal that OMB approved, GSA still needs to execute the sale of these properties under FASTA.

What Remains to Be Done

  • OMB should focus on achieving Reduce the Footprint targets.
  • GSA, in conjunction with the board, should complete the sale of OMB-approved, high-value assets, per FASTA.

Costly Leasing (Segment Removed)

The ratings for the costly leasing segment improved to met for capacity, monitoring, and demonstrated progress criteria, with the two other criteria continuing to be met. Consequently, we have removed the costly leasing segment from this high-risk area.

Leadership commitment: met. GSA continued to demonstrate leadership commitment in reducing costly leasing. As noted in our 2019 High-Risk Report, GSA initiated its Lease Cost Avoidance Plan in 2018 to reduce leasing costs by a projected $4.7 billion by fiscal year 2023.

GSA continued to implement its plan through several initiatives including (1) negotiating more competitive leases with longer terms, (2) reducing the size of leases, (3) moving leased tenants to federally owned space, and (4) backfilling vacant leased space.

Capacity: met. GSA has taken steps to reduce its reliance on costly leases. In May 2020, GSA awarded the fourth iteration of its broker contract. GSA uses brokers to supplement its staff and complete work on high-value leases it would otherwise be unable to complete, according to GSA officials. GSA also hired an additional 32 GSA lease-contracting officers in fiscal years 2019 and 2020 to help address its expiring lease inventory.

GSA has also taken steps to increase its capacity for reducing leasing costs by eliminating interest fees. In 2020, in response to our 2016 recommendation, GSA developed a proposal to OMB to loan agencies funds to improve newly leased spaces instead of agencies financing these costs at private-sector interest rates. This proposal could save tenant agencies millions of dollars in private sector interest charges.

Action plan: met. GSA continued to meet the action plan criterion for costly leasing through ongoing implementation of its Lease Cost Avoidance Plan. In 2020, GSA also successfully implemented its plan to prioritize properties for ownership investments—a recommendation we made in 2013—by purchasing the Department of Transportation’s (DOT) headquarters building.

Monitoring: met. GSA now meets the criterion for monitoring progress toward reducing leasing costs. Since 2019, GSA has improved its monitoring efforts. GSA’s Lease Cost Avoidance Plan now aggregates cost avoidance estimates from a number of metrics. Specifically, the plan tracks cost avoidance through various metrics such as leases negotiated below market costs, reductions in rental square footage, and reductions in vacant leased space through backfill or lease termination.

In addition, GSA developed its lease replacement metrics to monitor lease status at different points along the process to minimize the need to stay in a space after a lease expires or to enter into short-term lease extensions.

Demonstrated progress: met. GSA has made quantifiable improvements in leasing amounts and costs and now meets the demonstrated progress criterion. GSA has documented a downward trend in leased square footage over the last 6 years, resulting in more space being under the custody and control of GSA than the space it leases for the first time since 2007. In fiscal year 2019, GSA reported that it avoided about $324 million in costs by moving tenants from previously leased space to federally owned space.

Notably, in 2020, GSA moved the DOT Headquarters in Washington, D.C., from leased space to owned space by purchasing the building. GSA estimates that this move to owned space will save taxpayers more than $409 million in lease costs over 30 years. GSA also reported that it avoided an additional $30 million of lease costs in fiscal year 2019 by backfilling vacant federal space and terminating unneeded leases.

Data Reliability

The rating for demonstrated progress has regressed from partially met to not met since our 2019 High-Risk Report. Ratings for the other four criteria remain unchanged.

Leadership commitment: met. GSA and DOD continue to demonstrate leadership commitment in improving their data reliability. GSA continues to improve its FRPP reliability and its Federal Real Property Data Validation and Verification (V&V) process for identifying and correcting possible errors.

GSA, in conjunction with the Federal Real Property Council (FRPC), also continues to refine its FRPP data dictionary which provides the real property reporting requirements for executive agencies. DOD also committed to a timeline for improving its Real Property Assets Database.

Capacity: met. GSA continues to take actions to increase the capacity of agencies to submit accurate data. For example, GSA revised certain data elements’ definitions in 2020 and incorporated them into the 2020 FRPP data dictionary to increase the accuracy and completeness of the data reported to FRPP. In addition, in November 2018, FRPC established a data governance working group that meets regularly to address challenges to reliable and complete data in the FRPP.

Action plan: met. In March 2020, FRPC’s data governance working group developed a corrective action plan to address FRPP data reliability issues that we identified in February 2020 including V&V anomaly categories to better target incorrect data. In February 2020, DOD shared its strategy to improve the coordination of corrective action plans to remediate discrepancies in its real property data system. DOD's estimated completion date for these actions is September 2022.

Monitoring: partially met. While GSA’s V&V process continues to provide a structure for improving the FRPP data, it has not addressed key errors in FRPP data.

In February 2020, we found that 67 percent of building addresses in FRPP were incorrectly formatted or incomplete, making it hard to locate specific buildings. In June 2020, GSA revised the FRPP data dictionary to clarify the reporting of street addresses as well as latitude and longitude coordinates. In November 2020, FRPC’s data governance working group developed a computer application to help agencies identify incorrect or incomplete FRPP location data. This tool will be available to agencies in 2021, according to GSA officials. GSA officials plan to monitor the effect of these changes after agencies submit their 2021 data.

We also found that verification of DOD’s real property assets during fiscal year 2019 was incomplete and not comparable across DOD due to a lack of department-wide instructions.

Demonstrated progress: not met. GSA and DOD are no longer partially meeting the criteria for demonstrated progress. While GSA and some agencies have taken action to correct data, we continue to find serious data errors that undermine the reliability of the FRPP. GSA’s V&V process has not effectively addressed key errors in FRPP data. As a result, we found in February 2020 that most building addresses in FRPP are either incorrectly formatted or incomplete.

In addition, DOD’s real property data continue to be inaccurate and incomplete. In September 2020, we found that DOD had serious control issues that affected the quality of its property data. DOD also has not implemented a strategy that identifies and addresses risks to data quality and information accessibility with accompanying schedule and performance metrics, a recommendation we made in November 2018. DOD officials told us they developed a strategy in 2020 but it will not be fully implemented until September 2023.

What Remains to Be Done

GSA should continue working with federal agencies to improve the reliability of its real property data through V&V efforts and encouraging agencies to implement action plans to better assess, address, and track data quality. In particular, agencies should correct location data as we recommended in 2020. DOD should improve the reliability of its real property data by implementing a strategy that identifies and addresses risks to data quality, as we recommended in 2018 and 2020.

Facility Security

The ratings for the facility security segment improved for the action plan and demonstrated progress criteria with the other three criteria remaining unchanged.

Leadership commitment: met. The Federal Protective Service (FPS) continues to take action to address our recommendations to improve the security of federal facilities. The Interagency Security Committee (ISC) also continues to update its Risk Management Process—a consolidated set of standards required of executive branch agencies for physical security at nonmilitary federal facilities.

Capacity: partially met. The federal government may not have the capacity to conduct adequate risk assessments because agencies’ security assessment methodologies do not fully align with the ISC Risk Management Process. To this end, the Federal Aviation Administration (FAA) and the Department of Veterans Affairs (VA) should implement our October 2017 and January 2018 recommendations to complete an assessment of their policies consistent with the ISC’s standards.

Action plan: met. The federal government has shown improvement and now meets this criterion by finalizing action plans that should improve the security of federal facilities. In July 2019, FPS, GSA, the judiciary, and the U.S. Marshals Service finalized a memorandum of agreement clarifying their respective roles and responsibilities for federal facility security, implementing our longstanding recommendation from September 2011.

In 2020, FPS and GSA also implemented our December 2015 recommendation by finalizing a joint strategy that defined and articulated a common understanding of expected outcomes and aligned the two agencies' activities and core processes to achieve their related missions.

Monitoring: partially met. The federal government continues to partially meet this criterion. In 2019, FPS developed two systems to oversee its contract guard workforce. Specifically, FPS developed the Training and Academy Management System and the Post Tracking System. However, FPS has not fully implemented these systems. Finally, as noted in the 2019 high-risk update, actions are still needed to better address various emerging security threats to federal facilities.

Demonstrated progress: partially met. The federal government has shown improvement and now partially meets the criterion for demonstrated progress to improve security. FPS must demonstrate the effectiveness of its guard management system and ensure that it interacts with its training system across all regions. Once the systems are fully implemented, FPS will be able to obtain information to assess its guards’ capability to address security risks across its portfolio.

Although there has been progress overall to improve federal facility security, the attack on the U.S. Capitol on January 6, 2021, underscores that more progress is needed among a range of federal agencies and their law enforcement partners to defend against ever changing threats.

What Remains to Be Done

To improve the security of federal facilities, the following steps are necessary:
  • FAA and VA should ensure that their risk assessment processes align with ISC standards; and
  • FPS should fully implement its guard management systems and ensure they are working as expected.

Related GAO Products

Federal Real Property: Additional Documentation of Decision Making Could Improve Transparency of New Disposal Process. GAO-21-233. Washington, D.C.: January 29, 2021.

Defense Real Property: DOD-Wide Strategy Needed to Address Control Issues and Improve Reliability of Records. GAO‑20‑615. Washington, D.C.: September 9, 2020.

Federal Leasing: Quality Information and Metrics Would Allow GSA to Better Assess the Value of Its Broker Program. GAO‑20‑361. Washington, D.C.: March 31, 2020.

Federal Real Property: GSA Should Improve Accuracy, Completeness, and Usefulness of Public Data. GAO‑20‑135. Washington, D.C.: February 6, 2020.

Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control. GAO‑19‑138. Washington, D.C.: December 20, 2018.

Defense Real Property: DOD Needs to Take Additional Actions to Improve Management of Its Inventory Data. GAO‑19‑73. Washington, D.C.: November 13, 2018.

Federal Facility Security: Actions Needed to Better Address Various Emerging Threats. GAO-19-32SU. Washington, D.C.: October 17, 2018.

Federal Facility Security: Selected Agencies Should Improve Methods for Assessing and Monitoring Risk. GAO‑18‑72. Washington, D.C.: October 26, 2017.

Federal Real Property: Improving Data Transparency and Expanding the National Strategy Could Help Address Long-standing Challenges. GAO‑16‑275. Washington, D.C.: March 31, 2016.

Federal Real Property: GSA Could Decrease Leasing Costs by Encouraging Competition and Reducing Unneeded Fees. GAO‑16‑188. Washington, D.C.: January 13, 2016.

Federal Protective Service: Actions Needed to Assess Risk and Better Manage Contract Guards at Federal Facilities. GAO‑12‑739. Washington, D.C.: August 10, 2012.

Funding the Nation’s Surface Transportation System

Congress should pass a long-term, sustainable solution for funding surface transportation.

Why Area Is High Risk

The nation’s surface transportation system—including highways, transit, maritime ports, and rail systems that move both people and freight—is under growing strain. Further, the cost to repair and upgrade the system to meet current and future demand is estimated in the hundreds of billions of dollars.

The oldest portions of the Interstate Highway System are over 60 years old, and over 7 percent of the nation’s bridges were rated in poor condition in 2019.These challenges are intensified by a range of factors such as shifting demographics, a growing economy, and rapid development of new technologies. This issue has been on our High-Risk List since 2007.

These surface transportation challenges come at a time when traditional funding sources are eroding and the federal government lacks a long-term sustainable strategy for funding surface transportation. Funding is further complicated by the federal government’s financial condition and fiscal outlook.

The nation is on an unsustainable long-term fiscal path of deficits and debt, and Congress and the administration face difficult policy choices about federal revenues, spending and investment. These choices need to be accompanied by a broader fiscal plan to put the government on a more sustainable long-term fiscal path.

Contact Information

For additional information about this high-risk area, contact Elizabeth Repko at (202) 512-2834 or RepkoE@gao.gov.

We are not rating this high-risk area because addressing the identified issues will primarily involve congressional action.

Motor fuel taxes and additional truck-related taxes that support the Highway Trust Fund—the major source of federal surface transportation funding—are eroding. Because of inflation, the 18.4 cent-per-gallon federal tax on gasoline has about one-third less purchasing power than it did when the federal motor fuel tax was last raised in 1993.

To maintain spending levels for highway and transit programs and to cover revenue shortfalls, Congress transferred a total of about $155 billion in general revenues to the Highway Trust Fund on nine occasions from 2008 through 2020, including $13.6 billion by the Continuing Appropriations Act, 2021 and Other Extensions Act, enacted in October 2020.

These transfers each represented a one-time infusion of funding, not a sustainable long-term source of revenues. This funding approach effectively ended the long-standing principle of “users pay” in highway finance, breaking the link between the taxes highway users paid and the benefits they received.

The Fixing America’s Surface Transportation (FAST) Act appropriated around $70 billion of the $141 billion in transfers for fiscal years 2015 through 2020. In 2021, the gap between projected revenues and spending will recur. In September 2020, the Congressional Budget Office estimated that $188 billion in additional funding would be required to maintain current spending levels plus inflation from fiscal years 2021 through 2030. This estimate did not include the effects of the $13.6 billion transferred by the Continuing Appropriations Act, 2021 and Other Extensions Act. See figure 7.

Figure 7: Projected Cumulative Highway Trust Fund Balance, Fiscal Years 2021 through 2030

Note: This projection assumes no further augmentation of highway-related taxes to the Highway Trust Fund after 2021 from general revenues or other sources. By law, the Highway Trust Fund cannot incur negative balances.

A long-term sustainable plan for funding surface transportation involves congressional action and remains the pivotal action that will determine whether this issue remains on, or is removed from, our High-Risk List. However, it is also important that federal funding for surface transportation be spent wisely and efficiently.

Over the last decade we have noted opportunities to improve performance and accountability in how surface transportation funds are spent by maximizing the use of existing resources and linking funding to performance. These opportunities include (1) implementing a performance-based approach to surface transportation funding, and (2) improving how surface transportation projects are selected through the Department of Transportation’s (DOT) discretionary grant programs.

Performance-based approach to surface transportation funding. Historically, spending for surface transportation programs has not effectively addressed key challenges, such as deteriorating infrastructure conditions and increasing congestion and freight demand. This is because (1) federal goals and roles have been unclear, (2) programs have lacked links to performance, and (3) programs have not used the best tools and approaches to ensure effective investment decisions.

Since 2008, we have suggested that Congress consider a fundamental reexamination of these programs to improve performance and accountability by (1) clarifying federal goals and roles, (2) establishing performance links, and (3) improving investment decision-making.

Provisions enacted in 2012 in the Moving Ahead for Progress in the 21st Century Act (MAP-21) have begun to address these key challenges. Specifically, MAP-21 included provisions to move toward a more performance-based surface transportation program by establishing national performance goals in areas such as infrastructure condition, safety, and system performance.

The act and its implementing regulations set forth a three-stage process in which (1) DOT establishes performance measures and standards, (2) states and other grantees set targets based on these performance measures and states report progress to DOT, and (3) DOT evaluates whether grantees have met or made significant progress toward their targets.

DOT has been implementing the performance-based approach envisioned in MAP-21. For example, starting in fiscal year 2014, the National Highway Traffic Safety Administration (NHTSA) required states to establish targets for safety-related performance measures such as traffic fatalities and serious injuries. Additionally, in January 2017, the Federal Highway Administration finalized the last of six interrelated rules establishing performance measures in the areas of safety, pavement and bridge conditions, and system performance.

In 2019, we reported that it was sometimes unclear whether states had achieved their safety-related targets. As a result, we recommended that NHTSA develop and implement a mechanism that communicates whether states have achieved their targets. In response, NHTSA plans to provide performance data on states' achievement of their 2020 targets on its website when data becomes available in the fall of 2021.

Discretionary grants. Discretionary grants are an important component in improving the performance and accountability of transportation funding decisions. We have reported that the historic approach to funding surface transportation, in particular highways, poses challenges because funding has been principally provided through statutory formulas designed largely to return revenues to their attributed state of origin to closely align the states’ contributions to the Highway Trust Fund with the funding they receive.

The FAST Act authorized about a dozen new discretionary grant programs, including the Nationally Significant Freight and Highway Projects Program, authorized at $4.5 billion over 5 fiscal years for highway, rail, port, and intermodal freight and highway projects, which DOT named the Infrastructure for Rebuilding America (INFRA) program. While more than 90 percent of funding from the Highway Trust Fund will continue to be distributed by statutory formula, the FAST Act represents a promising development to address national and regional transportation priorities.

Since 2011 we have identified numerous challenges with DOT discretionary grant programs, including problems with the transparency of the application review and selection process and a lack of documentation of key decisions. In June 2019 we reported that we were unable to determine the basis for about $2.3 billion in discretionary grant awards from fiscal years 2016 through 2018 due to the continued lack of consistency and transparency in DOT’s management of the program.

For example, for the INFRA awards made in 2018, DOT initially found that 97 applications contained insufficient information for an eligibility determination and subsequently followed up with 42 of the 97 applicants to request additional information. However, DOT did not sufficiently document why it followed up with certain applicants and not others.

Moreover, while DOT established criteria to evaluate projects, DOT forwarded information on all 165 projects that were found to be statutorily eligible to the Secretary of Transportation for potential award, regardless of how well they scored on the evaluation criteria. DOT’s documentation did not provide insight into why projects were selected for awards.

We recommended in June 2019 that DOT clarify for applicants for the remaining INFRA awards the circumstances under which DOT may request additional information. We also recommended that DOT inform applicants how scores on merit criteria are used, if at all, to determine whether projects advance to the Secretary for selection. DOT agreed with these recommendations and stated it would implement them for the fiscal year 2020 INFRA funding awards, which were announced in June 2020.

As of December 2020, DOT officials told us they developed more formal procedures in 2020 for seeking additional information from applicants. However, DOT did not inform applicants about the circumstances under which DOT may request additional information or how merit criteria scores are used to advance projects to the Secretary, as we recommended.

As we reported in June 2019, the reauthorization of DOT’s surface transportation programs, which expire in October 2021, provides Congress the opportunity to require DOT to take additional action to ensure consistency and transparency in the management of its discretionary grant programs. We suggested that Congress consider including language in the next reauthorization that would require DOT to develop and implement transparency measures for its discretionary grant programs.

Such measures should, at a minimum, help to ensure that the evaluation process is clearly communicated, that applications are consistently evaluated, and that the rationale for DOT’s decisions is clearly documented.

Congressional Actions Needed

Congress and the administration should agree on a long-term plan for funding surface transportation. Continuing to augment the Highway Trust Fund with general revenues may not be sustainable, given competing demands and the federal government’s long-term fiscal challenges. A sustainable solution would balance revenues to and spending from the Highway Trust Fund.

New revenues from users can come only from taxes and fees; ultimately, major changes in transportation spending or in revenues, or in both, will be needed to bring the two into balance. In 2008, we reported that Congress should consider addressing the imbalance between federal surface transportation revenues and spending. That matter has not been addressed, and the current authorization for surface transportation funding expires in October 2021.

What Remains to Be Done

While passage by Congress of a long-term sustainable plan for funding surface transportation is the pivotal action that is needed to remove this issue from our High-Risk List, it is also increasingly important that the effectiveness of surface transportation programs be improved by maximizing the use of existing resources and linking funding to performance. Specifically, DOT can
  • continue to make progress implementing the performance-based framework established in MAP-21, and
  • enhance the management of its discretionary grant programs and respond to our recommendations to ensure the integrity of future DOT discretionary grant programs.

Related GAO Products

Traffic Safety: Improved Reporting Could Clarify States’ Achievement of Fatality and Injury Targets. GAO‑20‑53. Washington, D.C.: October 22, 2019.

Discretionary Transportation Grants: Actions Needed to Improve Consistency and Transparency in DOT's Application Evaluations. GAO‑19‑541. Washington, D.C.: June 26, 2019.

Surface Transportation: A Comprehensive Plan Could Facilitate Implementation of a National Performance Management Approach. GAO‑17‑638. Washington, D.C.: July 27, 2017.

Highway Trust Fund: Pilot Program Could Help Determine the Viability of Mileage Fees for Certain Vehicles. GAO‑13‑77. Washington, D.C.: December 13, 2012.

Highway Trust Fund: All States Received More Funding Than They Contributed in Highway Taxes from 2005 to 2009. GAO‑11‑918. Washington, D.C.: September 8, 2011.

Surface Transportation: Restructured Federal Approach Needed for More Focused, Performance-Based, and Sustainable Programs. GAO‑08‑400. Washington, D.C.: March 6, 2008.

Modernizing the U.S. Financial Regulatory System

Financial regulators need to strengthen systemic risk oversight and monitor progress on reforms, and Congress may want to consider options to address inefficiencies that hamper the financial regulatory system.

Why Area Is High Risk

The U.S. financial regulatory structure remains complex, with responsibilities fragmented among a number of regulators that have overlapping authorities. The current structure introduces significant challenges for efficient and effective oversight of financial institutions and activities. Moreover, in the decades leading up to the financial crisis of 2007—2009, the financial regulatory system failed to adapt to significant changes.

First, although the financial sector increasingly had become dominated by large, interconnected financial conglomerates, no single regulator was tasked with monitoring and assessing the risks that these firms' activities posed across the entire financial system.

Second, entities that had come to play critical roles in the financial markets were not subject to sufficiently comprehensive regulation and oversight.

Third, the regulatory system was not effectively providing key information and protections for new and more complex financial products for consumers and investors. Consequently, we added this area to the High-Risk List in 2009.

Modernizing the U.S. financial regulatory system and aligning it to current conditions is essential to ensuring the stability of the financial system, particularly during the period of profound economic disruption associated with the COVID-19 pandemic.

Contact Information

For additional information about this high-risk area, contact Daniel Garcia-Diaz at (202) 512-8678 or garciadiazd@gao.gov.

Since our 2019 High-Risk Report, ratings for all five criteria remain unchanged. Actions are needed by financial regulators and Congress to address this high-risk area.

Leadership commitment: partially met. Since policymakers enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) in July 2010, financial regulators have shown leadership commitment by finalizing rules to implement the Dodd-Frank Act’s rulemaking requirements. While the act included provisions to better position the financial regulatory system to address financial stability risks, it generally left the financial regulatory structure unchanged.

In February 2016, we reported that remaining fragmentation and overlap in the structure have created inefficiencies in regulatory processes and inconsistencies in how regulators oversee similar types of institutions. We also reported that while the Dodd-Frank Act created the Financial Stability Oversight Council (FSOC) to identify and address threats to financial stability, FSOC’s legal authorities may not allow it to respond effectively to certain systemic risks. For example, these authorities may not allow FSOC to effectively address risks from financial activities that span multiple entities. Hence, addressing weaknesses in the U.S. financial regulatory structure will require additional congressional leadership.

In June 2020, we reported on financial regulators’ efforts to respond to the Coronavirus Disease 2019 (COVID-19) by implementing relevant provisions of the CARES Act, such as temporary changes to regulatory requirements to encourage banks to provide flexibility to borrowers facing disruptions. We noted that as market conditions continue to evolve, regulatory attention to safety and soundness of regulated banks would continue to be important to identify and respond to any emerging issues early.

Capacity: partially met. The Dodd-Frank Act created FSOC and included other provisions intended to increase the capacity of the financial regulatory system to identify and address risks to the stability of the financial system. While most of these reforms have been implemented, rulemakings for certain reforms have only recently taken effect or were modified under the May 2018 Economic Growth, Regulatory Relief and Consumer Protection Act.

For instance, in July 2020, we reported that the Federal Deposit Insurance Corporation and the Board of Governors of the Federal Reserve System (Federal Reserve) had finalized amendments to a rule to address changes under the act to resolution planning requirements for covered companies. In addition, in 2021, we plan to publish a framework for evaluating regulatory structures and policy actions pertaining to financial stability. We plan to conduct future work to compare the U.S. regulatory structure for overseeing financial stability to principles in this framework related to the capacity of this structure to address financial stability risks.

Action plan: partially met. FSOC’s annual reports have served as the council’s key accountability document, as each report (1) discusses the progress regulators have made in implementing reforms, (2) identifies newly emerging threats, and (3) includes recommendations to address them.

In December 2020, we reiterated that concerns remain that while FSOC can use its designation authorities to respond to certain potential systemic risks posed by individual entities, its authorities are limited with respect to risks that arise from financial activities spanning multiple entities. Specifically, FSOC can recommend but not compel regulators to act with respect to systemic risk arising from such activities. This presents a challenge to holding FSOC and the financial regulators accountable for addressing systemic risk.

Monitoring: partially met. FSOC monitors and reports on indicators of financial stability and potential emerging threats to financial stability. In addition, in 2018, the Federal Reserve began publishing an annual financial stability report that includes its assessment of the U.S. financial system. Also, since the financial crisis, the Federal Reserve’s stress test programs have played a key role in supervisory efforts to evaluate and maintain financial stability.

In November 2016, we recommended that the Federal Reserve enhance the effectiveness of these stress test programs by further assessing—and adjusting as needed—the severity of the stress scenarios and other aspects of the test design. Since 2019, the Federal Reserve has taken steps to enhance its stress testing practices that addressed seven recommendations. However, further actions are needed to address five open priority recommendations in this area related to stress test design and management of model risk (e.g., accounting for sensitivity of stress test model results). In 2020, we also highlighted opportunities for the Department of Treasury (Treasury) to improve tracking and prioritizing of cyber risk mitigation efforts in the financial services sector according to goals established by the sector.

Demonstrated progress: partially met. The new agencies and oversight bodies created under the Dodd-Frank Act continue to take actions to carry out their missions and coordinate efforts. For instance, Treasury’s Office of Financial Research and the Federal Reserve have taken steps to reduce potential duplication and ensure comprehensive efforts to monitor systemic risks. The two agencies coordinated semiannual meetings to jointly discuss views from their respective monitoring of the financial system.

In our continuing work to monitor this area, as of December 2020, we observed that federal financial regulators could take additional steps to improve the efficiency and effectiveness of the financial regulatory system. For example, additional continuing progress is needed for the Federal Reserve to enhance its stress test programs.

What Remains to Be Done

Over the years since we added this area to our High-Risk List, we have made numerous recommendations related to this area. Since our 2019 High-Risk Report that highlighted 26 open recommendations, 12 recommendations remain open as of December 2020, which include two new recommendations related to cybersecurity risk mitigation in the financial services sector that should be addressed. FSOC and its member agencies should implement our open recommendations related to strengthening oversight of risks to financial stability and assessing the effectiveness of Dodd-Frank Act reforms:
  • To improve the effectiveness of its stress test programs, the Federal Reserve should further assess key aspects of stress scenario design and take steps to improve its ability to manage model risk (the potential for adverse consequences from decisions based on incorrect or misused model outputs).
  • Federal financial regulators should continue to work cooperatively to conduct required retrospective analyses of rulemakings.
  • Treasury should track and prioritize the financial services sector’s cyber risk mitigation efforts and update the sector’s cyber risk mitigation plan with metrics and other information.

Congressional Actions Needed

Addressing weaknesses in the U.S. financial regulatory structure will require additional congressional leadership in the following two areas as cited in our February 2016 report:
  • Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services.

    For example, Congress could consider consolidating the number of federal agencies involved in overseeing the safety and soundness of depository institutions, combining the entities involved in overseeing the securities and derivatives markets, and determining the optimal federal role in insurance regulation, among other considerations.
  • Congress should consider whether legislative changes are necessary to align FSOC’s authorities with its mission to respond to systematic risks. Congress could do so by making changes to FSOC’s mission, its authorities, or both, or to the missions and authorities of one or more of the FSOC member agencies.

Related GAO Products

Financial Stability: Agencies Have Not Found Leveraged Lending to Significantly Threaten Stability but Remain Cautious Amid Pandemic. GAO‑21‑167. Washington, D.C.: December 16, 2020.

Critical Infrastructure Protection: Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation Efforts. GAO‑20‑631. Washington, D.C.: September 17, 2020.

Financial Company Bankruptcies: Congress and Regulators Have Updated Resolution Planning Requirements. GAO‑20‑608R. Washington, D.C.: July 21, 2020.

Enclosure on Temporary Financial Regulatory Changes. Covid-19: Opportunities to Improve Federal Response and Recovery Efforts. GAO‑20‑625. Washington, D.C.: June 25, 2020.

Financial Services Regulations: Status of GAO Recommendations to Enhance Regulatory Analyses and Interagency Coordination. GAO‑20‑114R. Washington, D.C.: December 10, 2019.

Community Banks and Credit Unions: Regulators Could Take Additional Steps to Address Compliance Burdens. GAO‑18‑213. Washington, D.C.: February 13, 2018.

Federal Reserve: Additional Actions Could Help Ensure the Achievement of Stress Test Goals. GAO‑17‑48. Washington, D.C.: November 15, 2016.

Financial Regulation: Complex and Fragmented Structure Could Be Streamlined to Improve Effectiveness. GAO‑16‑175. Washington, D.C.: February 25, 2016.

Financial Stability Oversight Council: Further Actions Could Improve the Nonbank Designation Process. GAO‑15‑51. Washington, D.C.: November 20, 2014.

Financial Stability: New Council and Research Office Should Strengthen the Accountability and Transparency of Their Decisions. GAO‑12‑886. Washington, D.C.: September 11, 2012.

Resolving the Federal Role in Housing Finance

Congress should consider establishing objectives for the federal role in housing finance and a plan for ending the Fannie Mae and Freddie Mac conservatorships. Housing agencies should address oversight weaknesses.

Why Area Is High Risk

The federal role in housing finance expanded during the 2007–2009 financial crisis and remains large. The federal government currently supports about two-thirds of the mortgage market. Since 2013, we have designated resolving the federal role in housing finance as a high-risk area because of the government’s large fiscal exposure and because objectives for the future federal role have not been established.

FHFA placed the enterprises into conservatorships in 2008 due to concern that their deteriorating financial condition threatened economic stability. As of September 30, 2020, the enterprises had received $191.4 billion in capital support from Treasury and paid dividends to Treasury exceeding that amount. If the enterprises were to incur major additional losses, they would draw required amounts from their remaining $254.1 billion in Treasury commitments.

The federal government also supports mortgages through insurance and guarantee programs. FHA has an insured portfolio of single-family mortgages that exceeds $1.2 trillion, and Ginnie Mae guarantees the performance of more than $2 trillion in securities backed by mortgages with FHA or other federal agency support.

The Coronavirus Disease 2019 pandemic has led to missed mortgage and rent payments that have strained the housing finance system and heightened fiscal risks to the federal government.

Contact Information

For additional information about this high-risk area, contact John Pendleton at (202) 512-8678 or pendletonj@gao.gov.

Our ratings for the five criteria remain unchanged from our 2019 High-Risk Report. Actions are needed by Congress and housing agencies to address this high-risk area.

Leadership commitment: partially met. The administration and housing and regulatory agencies have taken a number of actions that demonstrate leadership commitment. For example, in March 2019, the President directed the Secretaries of the Treasury and Housing and Urban Development (HUD) to develop housing finance reform plans, which were issued in September 2019.

Additionally, in December 2020, the Federal Housing Finance Agency (FHFA) finalized a rule establishing a new regulatory capital framework for the Federal National Mortgage Association (Fannie Mae) and Federal Home Loan Mortgage Corporation (Freddie Mac)—collectively, the enterprises—that FHFA views as a critical step toward ending the enterprise conservatorships.

Statutory changes will be needed to resolve the federal role in housing finance. Since our 2019 High-Risk Report, Congress has held hearings on housing finance reform, but has not enacted legislation establishing objectives for the future federal role in housing finance or a transition plan that enables the enterprises to exit conservatorship.

Also, some prior legislative proposals have not had a system-wide focus. For example, some proposals address the enterprises but do not consider other entities such as the Federal Housing Administration (FHA) and the Government National Mortgage Association (Ginnie Mae).

Capacity: partially met. Under FHFA’s conservatorship, the enterprises—which guarantee about $6 trillion in mortgage-backed securities—generally have operated profitably since 2012. FHFA has mitigated some of their risks by directing them to take actions that have transferred significant amounts of credit risk to the private market. Overall, the enterprises also have increased their capital reserves following modifications to their conservatorship agreements that allow the two enterprises to retain earnings up to certain thresholds.

As of September 30, 2020, the enterprises collectively had about $35 billion in capital reserves and about $6.3 trillion in assets. As a result, the ratio of capital to assets (unadjusted for asset risk) was less than 0.6 percent, well below the capital ratios generally required of other federally regulated financial institutions. Pandemic-related mortgage losses and the cost of implementing borrower and renter protections in the CARES Act (e.g., mortgage forbearances) could slow the enterprises’ progress in building capital reserves. Additionally, FHFA lacks statutory authority to examine nonbank mortgage servicers (nondepository institutions that collect loan payments, among other functions) and other third parties that do business with and pose potential risks to the enterprises.

FHA and Ginnie Mae also face capacity challenges. FHA’s Mutual Mortgage Insurance Fund has met its statutory minimum capital requirement every year since fiscal year 2014, but the requirement is not based on a specified risk threshold, such as the economic conditions the fund would be expected to withstand. Further, mortgage defaults and forbearances stemming from the pandemic may adversely affect the fund’s financial condition.

Growth in Ginnie Mae’s guaranteed portfolio and a shift toward nonbank securities issuers have increased the agency’s potential exposure to loss. But Ginnie Mae has not analyzed the extent to which its guaranty fee for single-family mortgage-backed securities is sufficient to cover potential losses under different economic scenarios.

Ginnie Mae also relies heavily on contractors for many functions, but has not determined whether it has an optimal mix of contractors and in-house staff. Congress has not reformed Ginnie Mae’s oversight structure to address its increasing risks or required the agency to study and report on its fee and staffing issues.

Action plan: partially met. Although fundamental changes to the housing finance system have yet to be enacted, federal agencies have taken some planning steps to facilitate the transition to a future federal role. For example, the aforementioned September 2019 Department of the Treasury (Treasury) and HUD plans contain numerous recommendations for administrative and legislative reforms to the housing finance system.

Treasury’s plan seeks to define a limited federal role, enhance taxpayer protections against future bailouts, and promote competition in the housing finance system. HUD’s plan aims to refocus FHA on its core mission, protect taxpayers, provide FHA and Ginnie Mae the tools to manage risk, and provide liquidity to the housing finance system.

If Congress enacts changes to the housing finance system, relevant federal agencies will need to develop action plans to effectively implement the changes.

Monitoring: partially met. Federal agencies have taken some steps to provide monitoring tools that may aid the assessment of changes to the housing finance system. For example, FHFA and the Consumer Financial Protection Bureau have an ongoing joint initiative—the National Mortgage Database Program—that could be useful for examining the effect of mortgage market reforms.

The joint initiative features a representative database of loan-level information on the terms and performance of mortgages, as well as characteristics of the associated borrowers and properties. Other program components include quarterly and annual surveys of mortgage borrowers about their experiences in obtaining a mortgage and maintaining a mortgage under financial stress.

However, FHFA’s Office of Inspector General has identified a range of shortcomings in FHFA’s supervision of the enterprises. These include deficiencies in examination guidance and execution; the size, training, and qualifications of the examiner workforce; communication of supervisory findings; and quality control.

Additionally, FHA’s monitoring of reverse mortgages (a type of loan against home equity) and sales of defaulted loans has weaknesses. FHA has not established comprehensive performance indicators for reverse mortgages—a loan portfolio that has negatively affected the Mutual Mortgage Insurance Fund’s financial performance—or for defaulted loans sold to private purchasers. FHA also has not comprehensively monitored loan outcomes for reverse mortgages.

Demonstrated progress: not met. Overall progress on resolving the federal role in housing finance will be difficult to achieve until Congress provides further direction by enacting changes to the housing finance system. Assessing progress against specific goals is not yet possible because Congress has not provided a blueprint for the future federal role in housing finance or the future structure of the enterprises. Prolonging the enterprise conservatorships could create uncertainties for market participants and hinder progress toward the development of the broader mortgage securities market.

What Remains to Be Done

Housing agencies should implement our previous recommendations designed to help improve oversight of mortgage-related risks, consistent with federal internal control standards and Office of Management and Budget guidance for managing federal credit programs. In particular,
  • Ginnie Mae should (1) evaluate the extent to which its guaranty fee provides sufficient reserves to cover potential losses under different economic scenarios, (2) analyze the costs of using contractors for its operations and develop a plan to determine the optimal mix of contractor or in-house staff, and (3) assess its contract administration options to determine the most efficient and effective use of funds.
  • FHA should (1) develop performance indicators and analytic tools to better monitor outcomes for its reverse mortgage portfolio, and (2) develop objectives and measurable targets for sales of defaulted loans.

In the years since we added this area to the High-Risk List, we have made numerous recommendations related to this high-risk area, 25 of which were made since the last high-risk update in March 2019. As of December 2020, 19 recommendations remain open.

Congressional Actions Needed

Congressional actions we recommended from 2016 to 2019 will be needed to help resolve the federal role in housing finance and manage federal fiscal exposure to the mortgage market.

Specifically, Congress should consider legislation that
  • establishes objectives for the future federal role in housing finance, including the structure of the enterprises;
  • provides a transition plan to a reformed system that enables the enterprises to exit federal conservatorship; and
  • considers all relevant federal entities, including FHA and Ginnie Mae.

Congress also should consider
  • reforming Ginnie Mae's oversight structure to help address its increasing risks;
  • requiring Ginnie Mae to evaluate and report on the adequacy of its current guaranty fee, its reliance on contractors and potential use of fee revenue to hire contractor and in-house staff, and how it would use greater flexibilities to set the compensation of its in-house staff;
  • granting FHFA explicit authority to examine nonbank servicers and other third parties that do business with the enterprises; and
  • specifying the economic conditions that FHA’s Mutual Mortgage Insurance Fund would be expected to withstand without substantial risk of drawing on supplemental funds, and require FHA to specify and comply with a capital ratio consistent with these conditions.

Related GAO Products

Reverse Mortgages: FHA Needs to Improve Monitoring and Oversight of Loan Outcomes and Servicing. GAO‑19‑702. Washington, D.C.: September 25, 2019.

Federal Housing Administration: Opportunities Exist to Improve Defaulted Single-Family Loan Sales. GAO‑19‑228. Washington, D.C.: July 3, 2019.

Federal Housing Administration: Improved Procedures and Assessment Could Increase Efficiency of Foreclosed Property Conveyances. GAO‑19‑517. Washington, D.C.: June 20, 2019.

Ginnie Mae: Risk Management and Staffing-Related Challenges Need to Be Addressed . GAO‑19‑191. Washington, D.C.: April 3, 2019.

Housing Finance: Prolonged Conservatorships of Fannie Mae and Freddie Mac Prompt Need for Reform. GAO‑19‑239. Washington, D.C.: January 18, 2019.

USPS Financial Viability

Comprehensive legislative reform and additional cost-cutting are needed for the U.S. Postal Service to achieve sustainable financial viability.

Why Area Is High Risk

USPS’s financial viability has been on our High-Risk List since 2009 due to the need for action to address USPS’s poor financial condition. USPS cannot fund its current level of services and financial obligations from its revenues. As an independent establishment in the executive branch, USPS has long been expected to provide affordable, quality, and universal postal service to all parts of the country while remaining self-financing. Specifically, USPS is expected to be financially self-sufficient by covering its expenses through revenues generated from the sale of its products and services.

However, USPS is now unable to do so. The use of USPS’s most profitable product—First-Class Mail—is expected to continue declining for the foreseeable future. USPS also faces increasing competition in its growing but less profitable package shipping business. Meanwhile, key costs, such as compensation and benefits, are rising.

We have long reported that USPS’s financial condition needed attention by Congress and USPS to achieve broad-based restructuring. Currently there are four open Matters for Congressional Consideration and one open recommendation that are related to this high-risk area.

Contact Information

For additional information about this high-risk area, contact David Trimble at (202) 512-2834 or trimbled@gao.gov.

Since our 2019 High-Risk Report, ratings for four criteria remain unchanged, and the capacity criterion regressed to not met.

Progress on the U.S. Postal Service’s (USPS) financial viability requires action from both Congress and USPS to address both its annual operating losses and its unfunded long-term liabilities. USPS lost $87 billion over the past 14 fiscal years—including $9.2 billion in fiscal year 2020—and expects to lose $9.7 billion in fiscal year 2021.

Leadership commitment: partially met. USPS continues to seek some legislative and regulatory changes intended to improve its financial condition. For example, USPS has supported legislation that would integrate its retiree health program with Medicare. This would reduce its total unfunded liabilities by shifting these costs to the federal government.

USPS has also called for the elimination of the price cap that statutorily limits rate increases for most mail to the rate of inflation. Further, USPS leadership has stated that it plans to pursue operational changes in fiscal year 2021 that could help address USPS’s financial viability by reducing mail transportation, sorting, and delivery costs. However, the impact of these plans on USPS’s financial viability are uncertain and have met stakeholder opposition including lawsuits in federal court.

Capacity: not met. Since we last reported, USPS expenses exceeded revenues by $18 billion, as its labor compensation costs continue to increase while the volume of its most profitable mail products continue to decline. We reported in May 2020 that USPS’s business model is not financially sustainable and that congressional action is essential to reforming USPS’s business model.

Further, the imbalance between USPS’s revenues and expenses continued in fiscal year 2020. Absent legislative and regulatory change, USPS reported that it does not have the financial resources to carry out its primary mission, make certain required federal payments to fund retiree health benefits and accrued pension benefits, or meet its capital investment needs.

USPS did not make $63.2 billion in required payments to fund postal retiree health and pension benefits through fiscal year 2020. USPS reported that it did not make these payments so that it could cover current and anticipated operating costs, deal with contingencies, and make needed capital investments. USPS also has available to it an additional $10 billion in Coronavirus Disease 2019 (COVID-19)-related funding with the U.S. Department of the Treasury as authorized in the CARES Act, enacted in March 2020, as amended by the Consolidated Appropriations Act, 2021.

Even with this funding, USPS has stated that given its current business model, it anticipates that it will be able to cover its operating and other costs only by not making the required funding payments.

Defaulting on these funding payments adds to USPS’s already large unfunded liabilities, affects USPS’s capacity to become more financially viable, and could significantly impact USPS’s postal retirees and survivors. For example, USPS reported that at the end of fiscal year 2020 approximately 500,000 retirees receive retirement health benefits. We found in August 2018 that based on Office of Personnel Management projections, the fund supporting postal retiree health benefits would be depleted in fiscal year 2030 if USPS continues to miss all payments.

Depletion of the fund, together with USPS’s potential inability to pay its share of retiree health care premiums once they are no longer being paid from the fund, could result in some combination of reduced benefits for postal retirees, increased payments from retirees or current postal employees, higher postage rates, or payments from the federal government to fund these health care premiums.

USPS’s financial difficulties have also affected its ability to make significant capital investments that could improve its financial viability. USPS reported that it needs to increase capital spending and modernize its infrastructure after years of deferred capital investment.

However, USPS stated that it has decreased and reprioritized its capital investments due to COVID-19. COVID-19 rapidly accelerated the long-term decline in USPS’s most profitable types of mail, which, among other things, contributed to USPS’s 14th straight fiscal year of net losses. USPS still plans to replace its aging fleet of delivery vehicles to increase its capacity to deliver mail and packages in a more cost-efficient manner. However, given USPS’s financial uncertainty, the ability to make these investments may require additional tradeoffs with other commitments.

Action plan: partially met. USPS’s most recent 5-year strategic plan—for fiscal years 2020 to 2024—outlines its strategy for making progress towards financial viability. USPS has also developed annual performance plans and reports that specify goals for each fiscal year.

Additionally, USPS officials stated that they are working on a new strategic plan to be released in 2021 that will contain cost-reduction measures, among other things. However, as we reported in May 2020, USPS’s actions alone will be insufficient to restore its financial viability as statutory requirements limit USPS’s ability to raise revenues and reduce costs.

Monitoring: met. USPS continues to regularly monitor its financial viability through its independently-audited financial reports. These reports provide information on financial trends, such as (1) revenues and expenses; (2) unfunded liabilities; and (3) debt obligations.

In addition, through its annual performance plans and reports, USPS measures its performance in achieving strategic initiatives intended to improve its financial viability, such as improving customers’ experiences and providing high-quality service. Furthermore, these plans and reports note that aggressive management of its business operations, as well as legislative and regulatory reforms that will enable it to increase revenue and reduce costs, are all necessary to restore USPS to financial health.

Demonstrated progress: not met. USPS’s overall financial condition is unsustainable and deteriorating. Savings from USPS’s cost-reduction efforts have dwindled in recent years. Although the Postmaster General stated in his August 2020 congressional testimony that USPS will take steps to reduce costs in its control, further cost savings are limited under the existing statutory framework and would not be enough to close its financial gap. In addition, USPS’s costs have significantly increased as a result of COVID-19 due to higher sick-leave use, among other things.

USPS has taken some actions to address employee compensation costs—which represent about 77 percent of its total operating expenses in fiscal year 2020—but we found in January 2020 that USPS had likely overestimated its cost savings. We recommended USPS develop guidance to improve the accuracy of these estimates.

Further, at the end of fiscal year 2020, USPS’s total unfunded liabilities and debt were $188 billion—more than 250 percent of its annual revenue. These unfunded liabilities included about $75 billion in underfunding of retiree health care benefits, and about $61 billion in underfunding of pension benefits.

What Remains to Be Done

Although Congress and USPS took action to preserve USPS’s liquidity, these actions only address USPS’s short-term finances. Since 2010, we have stated that while USPS needs to cut its costs, congressional action is essential to restore USPS to financial viability. Continued congressional inaction will result in ever-larger annual losses and unfunded liabilities for USPS—making future reform more difficult and costly.

Congressional Actions Needed

Congress should consider (1) reassessing and determining the level of universal postal services the nation requires; (2) determining the extent to which USPS should be financially self-sustaining and what changes to federal statutes would be appropriate to meet this goal; (3) determining the most appropriate institutional structure for USPS that best supports the changes; and (4) evaluating the merits of different approaches to put postal retiree health benefits on a more sustainable financial footing, and then determining the most appropriate action to take.

We have also long reported that Congress should require that any binding arbitration in the negotiation process of USPS labor contracts take USPS’s financial condition into account.

Related GAO Products

U.S. Postal Service: Congressional Action Is Essential to Enable a Sustainable Business Model. GAO‑20‑385. Washington, D.C.: May 7, 2020.

U.S. Postal Service: Expanding Nonpostal Products and Services at Retail Facilities Could Result in Benefits, but May Have Limited Viability. GAO‑20‑354. Washington, D.C.: March 10, 2020.

U.S. Postal Service: Additional Guidance Needed to Assess Effect of Changes to Employee Compensation. GAO‑20‑140. Washington D.C.: January 17, 2020.

U.S. Postal Service: Offering Nonpostal Service through Its Delivery Network Would Likely Present Benefits and Limitations. GAO‑20‑190. Washington, D.C.: December 17, 2019.

Postal Retiree Health Benefits: Unsustainable Finances Need to Be Addressed . GAO‑18‑602. Washington, D.C.: August 31, 2018.

U.S. Postal Service: Projected Capital Spending and Processes for Addressing Uncertainties and Risks. GAO‑18‑515. Washington, D.C.: June 28, 2018.

Management of Federal Oil and Gas Resources

To enhance its oversight of oil and gas development on federal lands and waters, the Department of the Interior needs to accurately determine and collect revenue—including determining its fair share—and resolve its human capital challenges.

Why Area Is High Risk

We added management of federal oil and gas resources to the High-Risk List in 2011, based on challenges we identified in Interior’s management of oil and gas on leased federal lands and waters.

This year we have narrowed the scope of this issue by removing the Restructuring of Offshore Oil and Gas Oversight segment due to BSEE’s progress addressing long-standing deficiencies in the bureau’s investigative, environmental compliance, and enforcement capabilities, and implementation of strategic initiatives to improve offshore oversight and internal management.

However, Interior continues to face challenges with revenue determination and collection, and human capital.

Revenue determination and collection. Interior lacks reasonable assurance that it is collecting its fair share of revenue from oil and gas produced on federal lands and waters.

Human capital. While Interior has resolved some of its problems hiring, training, and retaining sufficient staff to oversee and manage oil and gas operations on federal lands and waters, it continues to face strategic challenges managing its onshore workforce.

Contact Information

For additional information about this high-risk area, contact Frank Rusco, (202) 512-4597, RuscoF@gao.gov.

Since our 2019 High-Risk Report, the overall rating for this high-risk area remains unchanged at partially met for all five criteria. However, the Department of the Interior’s (Interior) Bureau of Safety and Environmental Enforcement (BSEE) has now met all criteria for the restructuring of the offshore oil and gas oversight segment and is no longer considered high risk. On the other hand, some ratings for the remaining two segments—revenue determination and collection and human capital challenges—regressed from partially met to not met.

Revenue Determination and Collection

Since 2019, Interior continues to partially meet the criteria for capacity, action plan, monitoring, and demonstrated progress for the revenue determination and collection segment. However, leadership commitment regressed from partially met to not met.

Leadership commitment: not met. The rating for leadership commitment regressed from partially met to not met for two reasons. First, in September 2018, Interior revised a 2016 rule that previously implemented some of our recommendations that the agency better account for methane emissions and potential royalties. The 2018 revisions effectively eliminated many of the 2016 provisions that implemented our recommendations (both rules, however, have been subject to legal challenges, which, at present, have largely invalidated the rules). Interior is also revising another set of regulations that had addressed our recommendations to accurately measure oil and gas for royalty purposes.

Second, in October 2020, we found that leadership at Interior’s Bureau of Land Management (BLM) was deficient when it implemented its royalty relief program in response to the falling domestic oil prices resulting from the Coronavirus Disease 2019 pandemic. Specifically, BLM management ineffectively communicated with BLM state office officials on how to manage its royalty relief program. This led to ad hoc and inconsistent decisions by BLM state offices when approving royalty relief requests. As a result, it is impossible for us or BLM to accurately estimate the effect on production and royalties.

Capacity: partially met. Interior has taken some steps to address its capacity to address weaknesses in its ability to determine and collect revenue. For example, Interior revised its regulations to provide the flexibility to set its onshore royalty at or above 12.5 percent for competitive leases. This revision allows the government to alter royalties if it deems this necessary to ensure a fair return for public resources.

However, Interior still has weaknesses in its capacity to determine whether the oil and gas royalties companies pay to Interior are accurate and complete. For example, Interior’s Office of Natural Resources Revenue (ONRR) lacks a goal for tracking the amount of oil and gas royalties subject to compliance efforts, including audits of oil and gas operators. Additionally, our ongoing work has found that some of Interior’s bureaus lack information technology systems to effectively manage the oil and gas data necessary for ensuring a fair return. In March 2021, we plan to issue a report that discusses Interior’s oil and gas data systems.

Action plan: partially met. In some cases, Interior has provided us with documentation outlining steps it has taken and time frames to address our recommendations. For example, ONRR provided an update in July 2020 on efforts to replace its risk model used to identify companies on which to conduct royalty compliance work.

However, Interior’s Royalty Policy Committee—which was established in March 2017 and tasked with advising the Secretary on fair market value and collection of revenues from energy and natural resources developed on federal lands—was allowed to lapse in April 2019. Then, after a federal court ruled that Interior did not properly follow procedures in setting up the committee, Interior chose not to re-establish the committee and has not replaced it with something comparable. Additionally, BLM has continued to postpone a long-planned internal review to assess the overall effectiveness of previously issued guidance on commingling requests—requests to combine oil or gas from public, state, or private leases prior to royalty measurement.

Monitoring: partially met. Interior has undertaken some efforts to monitor its performance addressing royalty determination and collection weaknesses. For instance, Interior has tracked and implemented a majority of our recommendations addressing revenue determination and collection. However, there is still uncertainty about Interior’s actions to rescind and revise regulatory actions that responded to our recommendations to better account for methane emissions and accurately measure oil and gas for royalty purposes.

Demonstrated progress: partially met. Interior has taken several steps to improve its revenue collection and determination efforts. Since Interior was first added to the High-Risk Report in 2011, it has implemented more than 40 of our recommendations related to this segment. Since our 2019 High-Risk Report, we added 11 recommendations to improve Interior’s ability to assess its revenue collection efforts and better ensure receipt of fair market value for offshore oil and gas leases and production.

While all these recommendations remain open, Interior officials said that they are generally taking steps to implement them. For example, ONRR officials told us in July 2020 that they were developing a new risk model for selecting companies or leases for compliance activities including audits.

On the other hand, Interior’s Bureau of Ocean Energy Management has not provided evidence regarding any actions it might be taking to address our recommendations to better ensure a fair return on federal offshore oil and gas resources through its processes to review company bids for offshore oil and gas leases.

What Remains to Be Done

As of December 2020, 14 recommendations related to this segment remain open. Interior generally concurred with our recommendations but needs to fully implement all of them to address its revenue determination and collection challenges. For example, Interior should continue its efforts to address our recommendations by assessing its royalty compliance efforts and offshore bid valuation processes to ensure the federal government receives fair market value for oil and gas resources. Finally, Interior’s leadership needs to commit to developing policies that consistently lead towards improvements in its revenue determination and collection activities and ensuring the government receives a fair return.

Human Capital Challenges

Since our 2019 High-Risk Report, Interior no longer partially meets the criteria for leadership commitment, capacity, and action plan. Interior continues to partially meet the monitoring and demonstrated progress criteria, as it did in 2019.

Leadership commitment: not met. Interior’s ability to address its human capital challenges has been affected by its July 2019 announcement to reorganize BLM by relocating most Washington, D.C.-based headquarters positions to western states. In March 2020, we reported that BLM did not substantially address key practices for effective agency reform. For example, BLM did not involve employees and stakeholders—a key practice—in the process of developing reforms. Rather than relocate to state and field offices, many headquarters staff left BLM, which caused BLM to lose expertise in headquarters functions, which may include oversight of oil and gas.

Capacity: not met. BLM’s decision to relocate most Washington, D.C.-based headquarters staff to BLM offices across the West or to its new headquarters facility in Colorado without any deliberation or input from staff negatively affected capacity. Of the 311 positions moving west, 132 were vacant in July 2019 and an additional 81 staff either declined the reassignment or separated from their position as of January 2020. As of January 2020, these actions had resulted in a vacancy rate of about 68 percent among these positions, and BLM may be unable to ensure that it has the capacity to continue delivering services previously provided by those staff. We are currently following up on the effects of BLM’s headquarters relocation and loss of staff as well as its efforts to refill these positions.

Further, BLM continues to face challenges with capacity, especially in its hiring, training, and retention of petroleum engineers (PE) and petroleum engineer technicians (PET) needed to oversee federal oil and gas resources. For example, in March 2020, we reported that BLM receives more drilling applications each year than its staff can review.

Action plan: not met. In response to BLM’s decision in 2019 to relocate its headquarters to the West, we requested that BLM provide its assessment of the expected effects of its reorganization on the current and future workforce. Since BLM did not provide an assessment, we recommended that it complete a strategic workforce plan that addresses how it will recruit for and fill vacant positions resulting from the relocations. While BLM provided comments on our report, it neither agreed nor disagreed with our recommendations. This raised questions about BLM’s commitment to implementing the recommendations and its ability to ensure its workforce composition aligns with its mission and priorities.

Monitoring: partially met. Interior has implemented many of our recommendations, including to utilize hiring and retention bonuses to meet its challenges in hiring for key skilled positions. It has also made progress in hiring and retaining staff. Further, Interior has taken steps to annually evaluate its bureaus’ training needs, effectiveness, and resources. However, Interior still needs to regularly document these actions so that it can track its progress over time. In March 2020, we recommended that Interior establish outcome-oriented performance measures to assess the effectiveness of BLM’s reorganization. Interior neither agreed nor disagreed with our recommendation.

Demonstrated progress: partially met. Interior is addressing its human capital challenges by evaluating hiring and retention incentives and training programs for PE and PETs. For example, Interior evaluated training needs, training effectiveness, and sharing training resources for PEs and PETs. However, as stated previously, BLM neither agreed nor disagreed with our strategic workforce plan recommendation. Without strategic workforce planning, the successful implementation of future reorganization and continued delivery of services is at risk.

What Remains to Be Done

Interior needs to provide documentation that it has evaluated the bureaus’ training programs and plans to evaluate the bureaus’ training programs each year. Additionally, Interior needs to implement the following recommendations to successfully implement the BLM reorganization:
  • establish outcome-oriented performance measures to assess the effectiveness of BLM’s reorganization; and
  • complete a strategic workforce plan that addresses how BLM will recruit for and fill vacant positions resulting from the relocations.

To inform future strategic workforce planning for BLM and other Interior bureaus, Interior needs to ensure that Interior’s bureau leadership incorporates key practices for effective agency reforms prior to implementing reorganization activities at other Interior bureaus.

Restructuring of Offshore Oil and Gas Oversight (Segment removed)

The ratings for this segment improved from partially met to met for all criteria since 2019. Consequently, we have removed the segment from this high-risk area.

Leadership commitment: met. Since our 2019 High-Risk Report, Interior has met the criteria for leadership commitment to restructure offshore oil and gas oversight. For example, BSEE’s Director led a change management initiative program that encompassed more than 180 actions to implement reforms throughout the bureau and included efforts such as an internal assessment of its environmental compliance program. Some of these actions were specifically designed to address our outstanding recommendations regarding the bureau’s restructuring and related strategic initiatives.

Capacity: met. Since our 2019 report, BSEE has met the criteria for capacity for restructuring of offshore oil and gas oversight. BSEE has taken steps to address trust concerns between headquarters and field personnel that have historically hindered the bureau’s ability to effectively implement restructuring reforms. For example, BSEE created an Employee Engagement Council to obtain input from employees and incorporate their feedback into bureau restructuring reforms and related strategic initiatives.

Action plan: met. Since our 2019 report, BSEE has met the action plan criteria for restructuring of offshore oil and gas oversight. For each of its reform efforts, BSEE’s change management initiative program identifies specific steps, completion target dates, parties responsible, and their relationship to bureau strategic goals, such as safety, environmental stewardship, and energy security goals.

Monitoring: met. Since our 2019 report, BSEE has met the monitoring criteria for restructuring of offshore oil and gas oversight. BSEE’s change management initiative program includes regular status updates to bureau leadership identifying reform efforts as complete, on schedule, or delayed. BSEE has also improved its enterprise risk management framework and developed a performance management “dashboard” of programmatic performance indicators, both of which better enable the bureau to assess and address the efficacy of its reforms.

Demonstrated progress: met. Since our 2019 report, BSEE has met the criteria for demonstrated progress for restructuring offshore oil and gas oversight. The bureau has addressed eight of the 13 recommendations relevant to BSEE restructuring and related strategic initiatives and has made significant progress addressing the remaining five. For example, BSEE issued a series of manual chapters, policy handbooks, and standard operating procedures that define the responsibilities of its incident investigations, environmental compliance, and safety enforcement divisions—the three oversight functions that comprised the bureau’s restructuring effort.

Related GAO Products

Priority Open Recommendations: Department of the Interior. GAO‑20‑289PR. Washington, D.C.: April 6, 2020.

Bureau of Land Management: Agency's Reorganization Efforts Did Not Substantially Address Key Practices for Effective Reforms. GAO‑20‑397R. Washington, D.C.: March 6, 2020.

Offshore Oil and Gas: Opportunities Exist to Better Ensure a Fair Return on Federal Resources. GAO‑19‑531. Washington, D.C.: September 25, 2019.

Federal Oil and Gas Royalties: Additional Actions Could Improve ONRR's Ability to Assess Its Royalty Collection Efforts. GAO‑19‑410. Washington, D.C.: May 31, 2019.

Oil and Gas Management: Stronger Leadership Commitment Needed at Interior to Improve Offshore Oversight and Internal Management. GAO‑17‑293. Washington, D.C.: March 21, 2017.

Oil and Gas Oversight: Interior Has Taken Steps to Address Staff Hiring, Retention, and Training but Needs a More Evaluative and Collaborative Approach. GAO‑16‑742. Washington, D.C.: September 29, 2016.

Oil and Gas: Interior Could Do More to Account for and Manage Natural Gas Emissions. GAO‑16‑607. Washington, D.C.: July 7, 2016.

Oil and Gas Management: Interior’s Bureau of Safety and Environmental Enforcement Has Not Addressed Long-Standing Oversight Deficiencies. GAO‑16‑245. Washington, D.C.: February 10, 2016.

Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks

To reduce its fiscal exposure to climate change, the federal government needs a cohesive, strategic approach with strong leadership and the authority to manage risks across the entire range of related federal activities.

Why Area Is High Risk

Numerous studies have concluded that climate change poses risks to many environmental and economic systems and creates a significant fiscal risk to the federal government. For example, according to the November 2018 National Climate Assessment report, the continued increase in the frequency and extent of high-tide flooding due to sea level rise threatens America’s trillion-dollar coastal property market and public infrastructure, with cascading impacts on the larger economy. We added this area to the High-Risk List in 2013.

There are five areas in which government-wide action is needed to reduce federal fiscal exposure, including, but not limited to, the federal government’s roles as (1) insurer of property and crops; (2) provider of disaster aid; (3) owner or operator of infrastructure; (4) leader of a strategic plan to coordinate federal efforts; and (5) provider of data and technical assistance to decision makers.

We have made 75 recommendations and suggested five matters for congressional consideration related to this high-risk area; 15 and three of which were made since the 2019 high-risk update, respectively. As of December 2020, 30 recommendations remain open.

Contact Information

For additional information about this high-risk area, contact J. Alfredo Gómez at (202) 512-3841 or gomezj@gao.gov.

Since our 2019 High-Risk Report, the federal government has yet to make measurable progress to reduce its fiscal exposure to climate change. As a result, ratings for all five criteria remain unchanged at partially met or not met.

Similarly, ratings for each of the five segments in this high-risk area remain unchanged at partially met or not met.

This update is based primarily on reports we issued as of mid-January 2021.

Federal Insurance Programs

Since 2019, the ratings for this segment remain unchanged at partially met or not met.

Leadership commitment: partially met. Leadership commitment remains partially met to reflect actions by Congress and federal agencies, such as the passage and implementation of the Biggert-Waters Flood Insurance Reform Act of 2012.

As directed by the act, the Technical Mapping Advisory Council (TMAC) produced a “Future Conditions Risk Assessment and Modeling Report” in 2015 with several recommendations on how to ensure (1) flood insurance rate maps incorporate the best available climate science to assess flood risks, and (2) the Federal Emergency Management Agency (FEMA) uses the best available methodology to consider the impact of rising sea levels and future development on flood risk.

FEMA is working to implement these recommendations. For example, in a February 2020 testimony, an official from FEMA said it has conducted several pilot studies on sea level rise and is working to identify specific research gaps to inform the design of additional future conditions pilot projects.

However, the federal government should take additional actions to improve the long-term resilience of insured structures and crops and address structural weaknesses in the insurance programs. For example, Congress should consider comprehensive reform to the National Flood Insurance Program, as we suggested in April 2017.

Capacity: partially met. Capacity remains partially met to reflect the continuing actions by FEMA and the U.S. Department of Agriculture (USDA) to improve stakeholder capacity to increase their resilience to climate change. For example, in a February 2020 testimony, an official from FEMA said it is working to identify best practices for developing products and tools useful in communicating risk around future conditions to communities. Additionally, USDA’s Climate Hubs—which deliver relevant science-based knowledge to agricultural producers—continue to provide information that may improve producers’ capacity to manage climate change impacts for crop insurance.

However, the federal government should take additional actions to increase capacity. For example, the Secretary of Agriculture should direct USDA to incorporate resilient agricultural practices into expert guidance for growers, as we recommended in October 2014.

Action plan: partially met. FEMA and USDA previously identified actions to address aspects of climate change in their programs on an advisory basis in FEMA’s 2015 TMAC report and USDA’s 2016 Building Blocks for Climate Smart Agriculture and Forestry initiative. However, these actions do not fully address our recommendations, such as incorporating forward-looking requirements into floodplain management minimum standards.

Monitoring: not met. The federal government has not established a mechanism to monitor the effectiveness of actions to improve the long-term resilience of federally insured structures and crops. For example, FEMA has not published metrics and milestones to assess its progress incorporating future conditions into flood map products. USDA established milestones for certain actions to improve resilience and monitored its progress from 2016 through 2018, but no longer does so.

Demonstrated progress: not met. The federal government has not implemented our recommendations to improve the resilience of federally insured property or address structural weaknesses in each program.

What Remains to Be Done

The federal government should incentivize climate resilience by incorporating it into the requirements for receiving payments from federal flood and crop insurance programs. For example, agencies should implement these recommendations we made in October 2014:
  • The Secretary of the Department of Homeland Security should direct FEMA to consider amending the floodplain management minimum standards to incorporate forward-looking requirements, similar to the minimum flood risk reduction standard adopted by the Hurricane Sandy Rebuilding Task Force. FEMA agreed with this recommendation; however, FEMA has not implemented it as of December 2020.
  • The Secretary of Agriculture should direct USDA to consider working with agricultural experts to incorporate long-term resilience into the good farming practices that are required for claim payments. USDA neither agreed nor disagreed with this recommendation, and has not implemented it as of December 2020.

Congressional Actions Needed

Reducing federal fiscal exposure to climate change risks will also require congressional action to address other structural challenges in the insurance programs that send inaccurate price signals to policyholders about their risk of loss or that increase the cost of these programs to taxpayers. For example:
  • Congress should consider repealing certain provisions in the Agricultural Act of 2014 that hinder the crop insurance program’s ability to adjust participating private insurers’ rate of return and share of premiums as changing conditions warrant, as we suggested in July 2017.
  • Congress should consider comprehensive reform to the National Flood Insurance Program to improve its solvency and enhance the nation’s resilience to floods, including funding for flood mitigation and flood mapping, as we suggested in April 2017.

Disaster Aid and Resilience

Since 2019, the ratings for this segment remain unchanged at partially met or not met.

Leadership commitment: partially met. Leadership commitment remains partially met to reflect actions by Congress and federal agencies, such as passage of the Disaster Recovery Reform Act of 2018 (DRRA) in October 2018. Among other things, DRRA allows the President to set aside, with respect to each major disaster, a percentage of the estimated aggregate amount of certain grants to use for pre-disaster hazard mitigation. DRRA also makes federal assistance available to state and local governments for building code administration and enforcement.

However, we have reported that the federal government’s approach to disaster risk reduction has been reactive and fragmented. Top leadership within the executive branch should take additional actions to improve state and local resilience, and develop the information needed to manage disaster assistance programs. For example, the Executive Office of the President (EOP), among others, should use information on potential economic effects of climate change to help identify significant climate risks and craft appropriate federal responses, as we recommended in September 2017.

In addition, the Office of Management and Budget (OMB) should adopt adequate budgeting procedures to account for the costs of disasters, as we recommended in 2003. OMB should also provide funding information for federal programs with fiscal exposure to climate change, as we recommended in April 2018.

Capacity: partially met. Capacity remains partially met to reflect actions by FEMA and DOD. For example, as a result of DRRA, in August 2020, FEMA established the Building Resilient Infrastructure and Communities grant program to support pre-disaster investment in community resilience efforts and has begun accepting applications. Additionally, the Department of Defense (DOD) launched two new grant programs in fiscal year 2020 that support resilience in communities near DOD facilities. However, it is too early to tell whether these measures will improve state and local capacity for resilience.

The federal government has yet to implement key recommendations to improve capacity in this area. For example, FEMA should determine what additional actions may be needed to close capability gaps at each jurisdiction level, as we recommended in March 2011.

Action plan: not met. In August 2019, FEMA and its partners published the National Mitigation Investment Strategy to plan for disaster resilience investment. However, the strategy does not explicitly address future climate change risks or include a strategic approach to identify and prioritize specific climate resilience projects for federal investment, as we recommended in 2015.

Additionally, FEMA’s 2018–2022 Strategic Plan—issued in March 2018— established performance targets doubling the number of properties covered by flood insurance and quadrupling the amount of pre-disaster mitigation by 2022. However, without a comprehensive strategy in place to identify and prioritize FEMA and the federal government’s climate resilience investments, it is unclear whether these efforts will reduce federal fiscal exposure.

Monitoring: not met. The federal government does not have a mechanism to track the effectiveness of federal investments in disaster resilience. Without progress in leadership commitment, capacity, and action planning, there is currently little to monitor.

Demonstrated progress: not met. The federal government has not developed the information necessary to account for its fiscal exposure to climate change or a strategy to reduce this exposure.

What Remains to Be Done

The federal government should develop the information needed to manage disaster assistance programs’ long-term exposure to climate change and fully implement measures that promote resilience from our prior recommendations and DRRA. For example:
  • OMB should provide, concurrent with any future climate change funding reports to Congress, funding information for federal programs with fiscal exposure to climate change, including costs for disaster assistance programs, as we recommended in April 2018. OMB disagreed with this recommendation and has not implemented it as of December 2020.
  • EOP and others should use information on the potential economic effects of climate change to help identify significant climate risks facing the federal government and craft appropriate federal responses, as we recommended in September 2017. EOP neither agreed nor disagreed with our recommendation and has not implemented it as of December 2020.
  • FEMA should update the methodology for assessing jurisdictions’ capability to respond to and recover from a disaster without federal assistance, as we recommended in September 2012. In December 2020, in response to a requirement in DRRA, FEMA issued a notice of proposed rulemaking to substantively revise its methodology. However, it is too early to determine what changes, if any, will be made.
  • FEMA should complete a national preparedness assessment of capability gaps at each jurisdiction’s level based on tiered, capability-specific performance objectives to enable better prioritization of FEMA grant funding to states and localities, as we recommended in March 2011. FEMA has taken steps to implement it, such as developing guidance for jurisdictions. However, the agency has not determined what additional actions may be needed to close the remaining gaps.
  • OMB should adopt adequate budgeting and forecasting procedures to account for fiscal exposures, such as major disaster costs, as part of the federal budget process, as we recommended in 2003. OMB neither agreed nor disagreed with this recommendation and has not taken any action to implement it as of December 2020.

Federal Government as Property Owner

Since 2019, the ratings for this segment remain unchanged at partially met and not met.

Leadership commitment: partially met. Leadership commitment remains partially met to reflect actions by Congress, such as passage of the National Defense Authorization Acts for Fiscal Years 2020 and 2021. Among other things, the 2020 act directs DOD to incorporate resilience to current and future projected climate-related risks and threats into its installations’ master plans. The act also requires DOD to amend its criteria related to construction planning and design to ensure that building practices and standards promote climate resilience.

The 2021 act, among other things, directs DOD to update its 2014 Adaptation Roadmap to include a strategy to address the current and foreseeable effects of extreme weather and sea level fluctuations on the department’s mission, including a discussion of these effects on various infrastructure, such as military installation resilience. Further, in September 2020, the Army published Directive 2020-08 which requires commanders of Army installations to assess, plan for, and adapt to the projected impacts of climate change and extreme weather.

However, top leadership within the executive branch should develop a comprehensive approach to improve the resilience of the facilities the federal government owns and operates and land it manages. For example, we previously reported that without guidance from the Council on Environmental Quality (CEQ) directing agencies to consider climate change in their National Environmental Policy Act of 1969 (NEPA) reviews, agencies do not have White House direction to consider climate change impacts, such as sea level rise, when planning federally-funded infrastructure.

Additionally, we have reported that implementing the January 2015 federal flood risk management standard—which required all future federal investments in, and affecting, floodplains to meet a certain elevation level—would have enhanced federal flood resilience by ensuring agencies addressed current and future flood risk. However, since Executive Order 13807 was rescinded in August 2017, the federal government has not taken any further action as of December 2020.

Capacity: not met. The federal government has not increased capacity in this area. The federal government has not implemented our recommendations to increase capacity in this area, such as by providing the best available forward-looking climate information to standards-developing organizations as we recommended in 2016. Nor has DOD fully implemented our June 2019 recommendation to issue guidance on incorporating climate projections into military installation master planning.

Action plan: partially met. Action plan remains partially met to reflect actions by agencies. For example, DOD has made some progress implementing our (1) May 2014 recommendations to consider climate change impacts for its domestic installations, and (2) June 2019 recommendations to issue guidance on incorporating climate projections into installation master planning and facilities project designs. However, DOD has yet to implement our November 2017 recommendations to consider climate change impacts for its overseas installations.

Further, the federal government has not developed a comprehensive approach to improving the resilience of the facilities it owns and operates and land it manages by incorporating climate change resilience into agencies’ infrastructure and facility planning processes.

Monitoring: not met. The federal government does not have a mechanism to track agencies’ progress toward sustainability goals, including federal facilities’ resilience to climate change impacts. Executive Order 13834 revoked Executive Order 13693, which we previously found partially met this criterion because it established a mechanism for OMB to monitor agencies’ progress toward sustainability goals. These goals included federal facilities’ resilience to climate change impacts.

Demonstrated progress: not met. The federal government has not implemented our recommendations to improve resilience government-wide.

What Remains to Be Done

The federal government needs a comprehensive approach to improve the resilience of the facilities it owns and operates and land it manages. This involves incorporating climate change resilience into agencies’ infrastructure and facility planning processes. It also involves accounting for climate change in NEPA analyses and working with relevant professional associations to incorporate climate change information into structural design standards. For example:
  • DOD should issue guidance on incorporating climate projections into installation master planning and facilities project designs, as we recommended in June 2019. DOD agreed with this recommendation and expects to finish developing such guidance by the second quarter of fiscal year 2021.
  • The Department of Commerce (Commerce) should convene federal agencies to provide the best available forward-looking climate information to standards-developing organizations, as we recommended in November 2016. Commerce neither agreed nor disagreed with this recommendation and has not implemented it as of December 2020.
  • CEQ should finalize guidance on how federal agencies can consider climate change in their evaluations of proposed federal actions under NEPA, as we recommended in April 2013. In August 2016, CEQ issued final guidance, but it rescinded this guidance in April 2017.

Federal Government as Leader of National Climate Strategic Plan

As of 2019, the ratings for this segment remain unchanged at not met.

Leadership commitment: not met. The federal government has not demonstrated leadership commitment to reducing fiscal exposure to climate change. For example, the federal government has not led the development of a national climate strategic plan.

A strategic approach for federal investments in climate resilience would allow for a more purposeful, coordinated, and comprehensive federal response to climate risks, as we reported in October 2019. For example, a strategic approach could help target federal resources toward high-priority projects that manage some of the nation’s most significant climate risks. The federal government is currently not well organized to address the fiscal exposure presented by climate change, in part because of the inherently complicated crosscutting nature of the issue.

Capacity: not met. The federal government has not increased capacity in this area. For example, entities within EOP, including OMB, have not provided information to Congress on fiscal exposures related to climate change.

Action plan: not met. The federal government has not developed a strategic plan to guide the nation’s efforts to adapt to climate change. For example, as previously mentioned, FEMA and its partners issued the National Mitigation Investment Strategy in August 2019. However, the strategy does not include a detailed strategic approach to prioritize investments for disaster risk reduction that explicitly accounts for future climate change risks.

Monitoring: not met. The federal government has not established mechanisms to monitor progress in this area. Without progress in leadership commitment, capacity, and action planning, there is currently little to monitor.

Demonstrated progress: not met. FEMA and its partners implemented our 2015 recommendation to develop a national mitigation investment strategy. However, the federal government still needs to take actions to fully address the following recommendations.

What Remains to Be Done

The federal government could better reduce its fiscal exposure if federal efforts were coordinated and directed toward common goals, such as improving climate resilience. For example, entities within EOP, including OMB, should do the following:
  • Develop a strategic plan to guide the nation’s efforts to adapt to climate change. This plan should include clear priorities that reflect the full range of climate-related federal activities, as well as establish clear roles, responsibilities, and working relationships among federal, state, and local governments, as we recommended in May 2011.
  • Use information on potential economic effects from climate change to help identify significant climate risks and craft appropriate federal responses, as we recommended in September 2017.
  • Provide information on fiscal exposures related to climate change to Congress in conjunction with future reports on climate change funding, as we recommended in April 2018.

EOP neither agreed nor disagreed with our recommendations to develop a strategic plan to guide adaptation efforts and to use information on potential economic effects from climate change to identify significant risks and responses. OMB disagreed with our recommendation to provide information on fiscal exposures related to climate change to Congress in conjunction with any future climate change funding reports. As of December 2020, EOP and OMB have not implemented these recommendations.

Congressional Actions Needed

Reducing federal fiscal exposure to climate change risks will also require congressional action. For example, we have suggested the following:
  • Congress should consider establishing a federal organizational arrangement to periodically identify and prioritize climate resilience projects for federal investment, as we suggested in October 2019.
  • Congress should consider establishing a pilot program with leadership from a defined federal organizational arrangement. This program would identify and provide assistance to climate migration projects for communities that express affirmative interest in relocation as a resilience strategy, as we suggested in July 2020.

Technical Assistance to Federal, State, Local, and Private-Sector Decision Makers

As of 2019, the ratings for this segment remain unchanged at not met.

Leadership commitment: not met. The federal government has not demonstrated top leadership support for federal technical assistance. For example, it has not led the development of a government-wide approach for providing decision makers with the best available climate-related information and assistance with translating such information. Nor has the federal government taken action to ensure projects that receive financial assistance adequately address risks from climate change.

Capacity: not met. The resources and government-wide structure for providing technical assistance to decision makers—with clear roles, responsibilities, and working relationships among federal, state, local, and private-sector entities—remain undefined. For example, in 2019, we reported that federal, state, local, and private-sector decision makers may be unaware that climate information exists or may be unable to use what is available, largely because the federal government’s own climate data are fragmented across individual agencies that use the information in different ways to meet their missions.

Since 2013, we have made multiple recommendations to EOP and individual agencies to address these issues; however, EOP and individual agencies have yet to make progress implementing them.

Action plan: not met. The federal government has not developed a plan to implement a system to provide information to decision makers to support climate resilience, as we recommended in November 2015.

Monitoring: not met. There are no programs or mechanisms to monitor government-wide progress in addressing the challenges we have identified related to the federal government’s role in providing climate-related technical assistance. These challenges include, for example, clarifying the roles, responsibilities, and working relationships among federal, state, local, and private-sector entities; identifying the necessary resources and establishing the government-wide structure necessary to implement plans; and addressing the fragmentation of federal climate information across individual agencies that use the information in different ways to meet their missions.

Demonstrated progress: not met. The federal government has not improved its technical assistance to decision makers, as we have recommended.

What Remains to Be Done

The federal government needs a government-wide approach for providing federal, state, local, and private-sector decision makers with (1) the best available climate-related information, and (2) assistance with translating climate-related data into accessible information. As a result, we recommended in November 2015 that EOP:
  • designate a federal entity to develop and periodically update a set of authoritative climate observations and projections for use in federal decision-making, which other decision makers could also access; and
  • designate a federal entity to create a national climate information system with defined roles for federal agencies and nonfederal entities with existing statutory authority.

EOP neither agreed nor disagreed with our recommendations and has not implemented them as of December 2020.

Further, federal agencies could better provide technical assistance to decision makers. For example, we have made the following recommendations:
  • The Environmental Protection Agency (EPA) should identify technical assistance providers and engage them in a network to help water utilities incorporate climate resilience into their infrastructure projects, as we recommended in January 2020. EPA neither agreed nor disagreed with this recommendation and has not implemented it as of December 2020.
  • EPA should provide direction on how to integrate information on the potential impacts of climate change effects into risk assessments and risk response decisions at Superfund sites, as we recommended in October 2019. EPA disagreed with these recommendations and expects to issue a memorandum to provide such direction by fall of 2021.
  • DOD should issue guidance on incorporating climate projections into installation master planning and facilities project designs, as we recommended in June 2019. DOD agreed with these recommendations and is developing such guidance; it expects to implement these recommendations by the second quarter of fiscal year 2021.

Congressional Actions Needed

Reducing federal fiscal exposure to climate change risks will also require congressional action to ensure infrastructure projects that receive financial assistance adequately address risks from climate change. For example,

Congress should consider requiring that climate resilience be incorporated in the planning of all drinking water and wastewater projects that receive federal financial assistance, as we suggested in January 2020.

Related GAO Products

Climate Change: A Climate Migration Pilot Program Could Enhance the Nation’s Resilience and Reduce Federal Fiscal Exposure. GAO‑20‑488. Washington, D.C.: July 6, 2020.

National Flood Insurance Program: Fiscal Exposure Persists Despite Property Acquisitions. GAO‑20‑508. Washington, D.C.: June 25, 2020.

Water Infrastructure: Technical Assistance and Climate Resilience Planning Could Help Utilities Prepare for Potential Climate Change Impacts. GAO‑20‑24. Washington, D.C.: January 16, 2020.

Climate Resilience: A Strategic Investment Approach for High-Priority Projects Could Help Target Federal Resources. GAO‑20‑127. Washington, D.C.: October 23, 2019.

Disaster Resilience Framework: Principles for Analyzing Federal Efforts to Facilitate and Promote Resilience to Natural Disasters. GAO‑20‑100SP. Washington, D.C.: October 23, 2019.

Superfund: EPA Should Take Additional Actions to Manage Risks from Climate Change. GAO‑20‑73. Washington, D.C.: October 18, 2019.

Climate Resilience: DOD Needs to Assess Risk and Provide Guidance on Use of Climate Projections in Installation Master Plans and Facilities Designs. GAO‑19‑453. Washington, D.C.: June 12, 2019.

Climate Change: Analysis of Reported Federal Funding. GAO‑18‑223. Washington, D.C.: April 30, 2018.

Climate Change: Information on Potential Economic Effects Could Help Guide Federal Efforts to Reduce Fiscal Exposure. GAO‑17‑720. Washington, D.C.: September 28, 2017.

Climate Information: A National System Could Help Federal, State, Local, and Private Sector Decision Makers Use Climate Information. GAO‑16‑37. Washington, D.C.: November 23, 2015.

Improving the Management of IT Acquisitions and Operations

To better manage tens of billions of dollars in information technology (IT) investments, the Office of Management and Budget (OMB) and other federal agencies should continue to fully implement critical requirements of federal IT acquisition reform legislation.

Why Area Is High Risk

The executive branch has undertaken numerous initiatives to better manage the more than $90 billion that is annually invested in IT. However, federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes.

These investments often suffer from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and governance. In 2015, we added the government’s management of IT acquisitions and operations to the High-Risk List.

Recognizing the severity of issues related to the government-wide management of IT, in December 2014, Congress and the President enacted federal IT acquisition reform legislation. In November 2017, and then again in December 2019, the sunset dates of several of these statutory provisions were extended or removed.

Among other things, these laws require covered agencies to: (1) enhance agency CIO authority, (2) enhance transparency and improve risk management of IT investments, and (3) consolidate federal data centers. Further, legislation enacted in December 2017 established a means for agencies to “borrow” funds in order to modernize their aging IT systems.

Contact Information

For additional information about this high-risk area, contact Carol Harris at (202) 512-4456 or harriscc@gao.gov.

Since our 2019 High-Risk Report, ratings for all five criteria remain unchanged.

Leadership commitment: met. OMB continues to demonstrate its leadership commitment by (1) issuing guidance for covered departments and agencies (agencies) to implement statutory provisions commonly referred to as the Federal Information Technology Acquisition Reform Act (FITARA), (2) optimizing federal data centers, and (3) issuing a new federal government-wide strategy for cloud computing.

It will be important for OMB to maintain its current level of leadership support and commitment to ensure that agencies successfully execute OMB’s guidance on implementing FITARA and related IT reform initiatives. Sustained congressional focus on the implementation of FITARA has led to improvement, as highlighted in agencies’ FITARA implementation scores issued biannually by the House Committee on Oversight and Reform. However, continued executive branch and congressional attention is necessary.

Capacity: partially met. In December 2017, the Technology Modernization Fund (TMF) was established by the Modernizing Government Technology Act to assist agencies with funding to replace aging IT systems. Agencies receive incremental award funding and are required to repay the funds transferred and pay an administrative fee within 5 years. OMB, the General Services Administration (GSA), and the Technology Modernization Board oversee the TMF.

From March 2018, when GSA established the TMF Program Management Office to administer fund operations, to August 2019, the office had obligated about $1.2 million to cover its expenses from managing the fund. However, it had collected limited administrative fees to offset its expenses. As a result, the Technology Modernization Board had fewer funds available than anticipated to award to new projects.

Going forward, OMB and the TMF Program Management Office are likely to face ongoing challenges in collecting administrative fees due to factors that affect fee collection, such as project changes and the office’s lengthy time frame for recovering all costs. We made five recommendations to GSA and OMB in a December 2019 report, including that they (1) develop a plan to fully recover operating costs and (2) clarify that agencies should follow required cost guidance. As of December 2020, none of the recommendations had been implemented.

Twenty-one of the 24 major federal agencies still have not implemented our 2018 recommendations that the agencies modify their practices to fully address the role of their chief information officers (CIO) consistent with federal laws and OMB’s FITARA guidance. The guidance covers, among other things, enhancing the authority of federal CIOs and ensuring that program staff have the necessary knowledge and skills to effectively acquire IT. Progress in establishing key IT workforce planning processes is also lacking. None of the recommendations we made to five agencies in a November 2016 report have been implemented.

Action plan: partially met. Agencies continue to make progress with requirements under FITARA. Specifically, four of 24 agencies have reported completing all milestones within their plans to address the areas of IT management that we have identified as high risk, such as reviewing poorly performing investments and managing agencies’ IT portfolios. Eighteen agencies reported milestones that are still in progress or deferred. Two agencies have not reported on the status of their milestones and some agencies have not updated the status of their milestones in several years.

Agencies also continue to make progress with plans to modernize or replace obsolete IT investments. Specifically, 10 of 12 agencies implemented the recommendations we made in 2016 to identify and plan to modernize or replace legacy IT systems.

In 2019, we also reported on the need for agencies to develop plans to modernize critical legacy systems. Among the 10 most critical legacy systems that we identified as needing modernization, several used outdated languages, had unsupported hardware and software, and were operating with known security vulnerabilities.

Of the 10 agencies responsible for these legacy systems, seven agencies had documented plans for modernizing the systems. However, most lacked the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). The remaining three agencies did not have documented modernization plans.

We made eight recommendations to eight agencies to address these weaknesses and, as of December 2020, none had been implemented.

However, given the cost to maintain legacy systems, in 2010 OMB began requiring agencies to shift their IT services to a cloud computing option when feasible. In 2019, we reported that the 16 agencies we reviewed had made progress in implementing cloud computing services—namely, they established assessment guidance, performed assessments, and implemented these services—but the extent of their progress varied.

We made one recommendation to OMB on cloud savings reporting and 34 recommendations to the 16 agencies on cloud assessments and savings. OMB neither agreed or disagreed and has yet to implement our recommendation. However, two of the 16 agencies have begun to make progress on implementing these recommendations.

Monitoring: partially met. Since our High-Risk Report in 2019, agencies have made progress in identifying their IT contracts and ensuring that acquisition offices are involved. Specifically, in January 2018, we made recommendations to 20 agencies to identify IT contracts and ensure the involvement of an acquisition officer; 16 agencies have implemented our recommendations.

However, we also reported in November 2018 that four selected agencies needed to consistently provide CIOs with visibility into resources, input to resource plans, and meaningful review and approval of IT budgets. As of December 2020, only four of our 43 recommendations to those agencies had been implemented.

Additionally, in September 2020, we reported on the need for federal agencies to take further action to reduce duplicative IT contracts. We found that efforts varied to implement five OMB category management activities aimed at preventing, identifying, and reducing such contracts. We made 20 recommendations to six of the seven agencies in our review to fully implement category management and spend analyses activities.

Lastly, since issuing our 2017 report on implementing adequate incremental development approaches for major IT investments, 13 of 17 agencies have fully addressed recommendations to improve reporting accuracy and update or establish certification policies. Implementing the remaining recommendations will help agencies to ensure that accurate data are made available for the oversight and management of their investments.

Demonstrated progress: partially met. In our 2019 High-Risk Report, we noted that agencies had reported achieving slightly more than 80 percent of their planned data center consolidation savings, a critical step toward addressing this high-risk area. To agencies’ credit, they have continued to make further progress against their goals. Since the beginning of 2019, agencies have reported an additional $440 million in savings.

As of July 2020, OMB and agencies had implemented 133 of the 204 recommendations made to them to improve the reporting of related cost savings and to achieve optimization targets. Implementation of these remaining recommendations by OMB and the agencies could yield additional cost savings.

We also reported in our 2019 High-Risk Report that OMB and federal agencies had fully implemented about 59 percent of the total recommendations we had made since fiscal year 2010 to address shortcomings in IT acquisitions and operations. As of December 2020, that number has increased, with federal agencies fully implementing 65 percent of the 1,396 IT management-related recommendations. However, significant actions are required by agencies to build on this progress.

Agencies continue to report progress in savings across a key OMB initiative—PortfolioStat—intended to improve the management of IT investments by consolidating and eliminating duplicative systems, among other things. Since our last update, agencies added nearly $200 million in savings (in fiscal year 2018) contributing to a total of approximately $2.7 billion in savings from fiscal years 2012 through 2018. This accounts for approximately 45.4 percent of planned PortfolioStat savings. Still, agencies need to make additional progress in savings.

Finally, in April 2019, we reported that agencies identified 12 practices that helped them effectively implement one or more FITARA provisions, which in turn enabled those agencies to realize IT management improvements, such as decommissioning old systems and cost savings. Agencies’ efforts to leverage the practices we identified will be an important element in agencies’ overall FITARA implementation efforts.

What Remains to Be Done

OMB and covered federal agencies should continue to fully implement the requirements of FITARA. Additionally, OMB will need to provide sustained oversight to ensure that agency actions are completed and the desired results are achieved. Beyond implementing FITARA and OMB’s guidance to improve the capacity to address our high-risk area, agencies should implement our remaining 400 open recommendations related to this high-risk area including
  • our 2018 recommendations related to improving CIO authorities, as well as 2016 recommendations on improving IT workforce planning practices;
  • our 2019 recommendations related to improving cloud computing investment spending and savings data; and
  • 11 priority recommendations for agencies to, among other things, report all data center consolidation cost savings to OMB.

OMB and agencies need to take actions to (1) implement at least 80 percent of our open recommendations related to the management of IT acquisitions and operations and (2) achieve at least 80 percent of the over $6 billion in planned PortfolioStat savings. Lastly, agencies should consider applying effective practices that may better position them to implement FITARA provisions and realize IT management improvements and cost savings.

Related GAO Products

Information Technology: Selected Federal Agencies Need to Take Additional Actions to Reduce Contract Duplication. GAO‑20‑567. Washington, D.C.: September 30, 2020.

Information Technology: Key Attributes of Essential Federal Mission-Critical Acquisitions. GAO‑20‑249SP. Washington, D.C.: September 8, 2020.

Data Center Optimization: Agencies Report Progress, but Oversight and Cybersecurity Risks Need to Be Addressed . GAO‑20‑279. Washington, D.C.: March 5, 2020.

Technology Modernization Fund: OMB and GSA Need to Improve Fee Collection and Clarify Cost Estimating Guidance for Awarded Projects. GAO‑20‑3. Washington, D.C.: December 12, 2019.

Information Technology: Agencies Need to Develop Modernization Plans for Critical Legacy Systems. GAO‑19‑471. Washington, D.C.: June 11, 2019.

Information Technology: Effective Practices Have Improved Agencies’ FITARA Implementation. GAO‑19‑131. Washington, D.C.: April 29, 2019.

Data Center Optimization: Additional Agency Actions Needed to Meet OMB Goals. GAO‑19‑241. Washington, D.C.: April 11, 2019.

Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked. GAO‑19‑58. Washington, D.C.: April 4, 2019.

Improving Federal Management of Programs that Serve Tribes and Their Members

The Bureau of Indian Education, Indian Health Service, and Bureau of Indian Affairs should take additional actions to improve Indian education and health care programs, and better manage development of Indian energy resources.

Why Area Is High Risk

Because our work has shown federal agencies have ineffectively administered Indian education and health care programs, and inefficiently met their responsibility for managing the development of Indian energy resources, we added this area to our High-Risk List in 2017. It includes three components across agencies in two departments, including BIE and BIA under Interior’s Office of the Assistant-Secretary of Indian Affairs, and IHS in Health and Human Services.

Education. BIE challenges include limited capacity to support and oversee schools and ensure accountability for school construction projects.

Health care. HHS’s inadequate oversight has hindered IHS’s ability to ensure that Indian communities have timely access to quality health care.

Energy. BIA mismanagement of Indian energy resources held in trust limited opportunities for tribes and their members to use those resources to create economic benefits and improve the well-being of their communities.

Contact Information

For additional information about this high-risk area contact Anna Maria Ortiz at (202) 512-3841 or ortiza@gao.gov. For specific questions about our Indian education work, contact Melissa Emrey-Arras at (617) 788-0534 or emreyarrasm@gao.gov; for our Indian Health work, contact Jessica Farb at (202) 512-7114 or farbj@gao.gov; and for our Indian Energy work, contact Frank Rusco at (202) 512-3841 or ruscof@gao.gov.

Since our 2019 High-Risk Report, ratings for all five high-risk criteria in this area remain unchanged with partially met designations.

Within the education component, the Bureau of Indian Education (BIE) has made progress addressing weaknesses, but ratings for all five criteria remain unchanged as partially met. In the health care and energy components, the Indian Health Service (IHS) and the Bureau of Indian Affairs (BIA) each met the criterion for leadership commitment. However, in the education component, they partially met the criterion for leadership commitment because more progress is needed to address issues related to school facility safety. Ratings for the remaining criteria remain unchanged as partially met.

When we added this area to our High-Risk List in February 2017, there were 39 open recommendations. Since then, we have added 26 recommendations for a total of 65 recommendations. As of December 2020, 22 recommendations remain open.

Education

The education segment has partially met all five criteria for addressing high-risk issues.

Leadership commitment: partially met. BIE leadership has shown commitment to addressing key weaknesses in the management of BIE schools. For example, in August 2019, the BIE Director created a leadership position to oversee BIE’s performance in meeting its strategic goals and addressing the management weaknesses identified in our previous reports.

However, more progress is needed in this area. For example, leaders in BIE and other offices under the Office of the Assistant Secretary-Indian Affairs (Indian Affairs) responsible for assisting BIE schools with safety have not identified which office should lead in developing a plan to build BIE schools’ capacity to promptly address facility safety issues, which we recommended in March 2016. We designated it as a priority recommendation and have sent several letters to the Secretary of the Interior about the importance of addressing it.

Capacity: partially met. BIE has made some progress in increasing its capacity to address risks to Indian education.

For example, BIE completed a strategic workforce plan to address recommendations in our 2013 and 2015 reports. The plan includes human capital information to help BIE plan for an adequate number of qualified staff in the appropriate offices to effectively oversee programs that provide administrative support to BIE schools. The plan also includes human capital strategies—such as relocation incentives, student loan repayment, and streamlining candidate background checks—to help fill vacant positions. In addition, as of December 2020, BIE filled 55 positions across the agency, including positions in the division supporting the largest number of bureau-funded schools.

However, about 33 percent of all BIE positions have not been filled, including key leadership positions in offices supporting and overseeing BIE schools. For example, the office responsible for monitoring schools’ compliance with federal education programs—including those for children with special needs and from low-income families—does not have a permanent head and about half of its positions are vacant.

Action plan: partially met. Indian Affairs’ safety office developed and implemented a plan to assess the training needs of all its employees, including BIE staff responsible for inspecting schools, as we recommended. However, the agency has not provided documentation of plans on other important issues, such as a comprehensive, long-term capital asset plan to inform its allocation of school facility construction funds, which we recommended in May 2017.

Monitoring: partially met. BIE has taken steps to monitor its safety inspection process for schools, such as assessing the performance of inspectors and holding them accountable for the agency’s required performance standards. However, BIE has not demonstrated it has fully implemented its high-risk monitoring policy for federal education programs or ensured that its schools are receiving timely monitoring reports, as we recommended in May 2020.

Demonstrated progress: partially met. Since our 2019 High-Risk Report, BIE fully addressed eight of the 12 outstanding recommendations on Indian education we identified in our report. Significant work, however, remains to address our outstanding recommendations in other key areas, such as accountability for BIE school construction projects and special education services. Continued progress will depend on the sustained direction and support of top management in Indian Affairs and BIE.

What Remains to Be Done

To strengthen its capacity to administer and oversee its schools, BIE needs to address critical staff vacancies by fully implementing its strategic workforce plan.

Further, in May 2020, we added seven recommendations on BIE’s need to improve its support and oversight of schools’ special education programs. As of December 2020, 11 recommendations related to this high-risk area remain open, and Indian Affairs concurred with all 11 recommendations. BIE needs to implement these recommendations, including:
  • Develop a plan to build schools’ capacity to address building safety issues;
  • Develop a comprehensive, long-term capital asset plan to inform its allocation of school facility construction funds; and
  • Ensure the full implementation of its high-risk monitoring process and timely monitoring reports to schools on special education and other programs.

Health Care

Steps IHS has taken since 2019 have resulted in IHS now meeting the criterion for leadership commitment. IHS continues to partially meet the four remaining criteria.

Leadership commitment: met. Since 2017, when we first added this area to the High-Risk List, IHS has chartered a policy advisory council that focuses on issues related to strategic direction, recommended policy, and organizational adjustments. According to IHS, this advisory council will, among other things, serve as a liaison to IHS leadership for issues involving strategic direction and policy, as well as monitor and facilitate related policy workgroups. IHS officials have also demonstrated leadership commitment by regularly meeting with us to discuss the agency’s progress in addressing our recommendations.

In addition, IHS officials reported filling a number of senior executive positions as well as expanding the number of senior executives serving the agency. Finally, after a number of years without permanent leadership, the Acting Director of IHS was confirmed as the permanent Director in April 2020. However, due to the transition to a new administration, he has tendered his resignation effective January 20, 2021. Moving forward, we will continue to monitor leadership stability at the agency, which is critical to addressing our high-risk concerns.

Capacity: partially met. Among other actions, IHS officials reported filling health care facility executive vacancies and taking numerous steps to enhance the recruitment and retention of providers.

However, according to IHS officials, the agency’s Coronavirus Disease 2019 response consumed considerable staff attention and effort in 2020 and resulted in the delay of several initiatives. For example, IHS delayed the implementation of efforts to improve its monitoring of health care facility readiness for required accreditation surveys.

Furthermore, IHS estimates that it is funded at approximately 49 percent of its level of need. Agency officials stated that this level of funding requires the agency to rigorously manage tradeoffs between numerous priorities, including electronic health records modernization, improving quality of care programs, and facility construction backlogs.

Action plan: partially met. IHS finalized a strategic plan in 2019. The plan identifies three strategic goals: (1) ensuring access to care, (2) promoting quality of care, and (3) strengthening program management and operations. IHS has developed a system to track agency-wide progress with respect to the strategic plan, and plans to conduct a gap analysis to ensure progress on the plan’s goals.

Monitoring: partially met. IHS has taken some steps toward monitoring the agency’s progress in addressing the root causes of its management weaknesses, and these steps have the potential to significantly improve monitoring.

In addition to establishing its Office of Quality in 2019, IHS established a Chief Compliance Officer role in 2020. Through this role, it developed a process to enhance the agency’s monitoring of area operations. IHS has also taken steps to develop a patient care survey, as well as standards for tracking patient wait times. IHS also purchased and implemented a new adverse event reporting system in response to our January 2017 recommendation.

Our 2020 reports have also shown that IHS needs to improve its oversight of federally operated facilities through enhanced monitoring of facility decision-making and provider performance.

Demonstrated progress: partially met. IHS has made progress in implementing corrective actions related to the management of health care programs. Specifically, since our 2019 High-Risk Report, IHS implemented seven of our eight open recommendations.

For example, in response to our March 2016 recommendation that IHS monitor patient wait times in its federally operated facilities and ensure corrective actions are taken when standards are not met, IHS developed electronic dashboards for monitoring wait times.

In addition, in response to our January 2017 recommendation that IHS develop standards for the quality of care and monitor facility performance with respect to these standards, the agency developed standards for quality and implemented a new adverse event reporting system.

However, we continue to find deficiencies in IHS oversight of important areas. For example, in November 2020, we found that IHS lacked processes to guide area offices in systematically assessing how federally operated facilities will effectively meet the medical needs of their patient populations.

What Remains to Be Done

As of December 2020, one of the eight recommendations in our 2019 High-Risk Report remain open, and we have added six recommendations—for a total of seven open recommendations related to this high-risk area. IHS fully concurred with these seven recommendations.

IHS needs to implement these recommendations including:
  • continue to enhance monitoring of area operations and implement a system to track and analyze agency-wide progress with respect to the strategic plan;
  • develop processes to guide area offices in systematically assessing how facilities will meet the medical needs of their patients;
  • develop a process to review area office policies and trainings related to provider misconduct and substandard performance; and
  • obtain agency-wide information on facility use of temporary provider contractors and use the information to inform decisions about resource allocation and provider staffing.

Energy

Since 2019, BIA has met the criterion for leadership commitment and continues to partially meet the four remaining criteria.

Leadership commitment: met. Steps BIA has taken since 2019 have resulted in BIA now meeting this area. In 2019, the Assistant Secretary for Indian Affairs appointed a Director for BIA and a Deputy Director for BIA’s Office of Trust Services—which has significant responsibility over Indian energy activities. This action provided an opportunity to improve Indian Affairs’ oversight of federal actions associated with energy development.

BIA has shown leadership commitment by issuing updated regulations in December 2019 for how the Secretary will approve tribal energy resource agreements (TERA) that allow for tribes to enter into and manage energy-related leases, rights-of-way, and business agreements without review and approval by the Secretary.

In response to a Secretary of the Interior order, the Office of the Solicitor identified the federal functions that tribes can contract under an approved TERA and those that are considered “inherently federal functions” and not contractible. The clarity provided by the updated regulations and policy guidance may encourage tribal participation in a TERA.

Capacity: partially met. In November 2016, we made two recommendations to BIA to help ensure it has an adequate workforce at agency offices with the right skills, appropriately aligned to meet the agency’s goals and tribal priorities. BIA has taken steps to strengthen its workforce recruitment and planning capacity and to better understand its workforce needs. In fiscal year 2020, BIA committed funds for five new personnel to support strategic recruitment and workforce planning activities.

Furthermore, through a July 2020 interagency agreement, BIA contracted with the Office of Personnel Management (OPM) for a number of workforce planning activities for the Office of Trust Services. OPM will develop a methodology for and conduct a workforce analysis to determine workforce composition needs, assess gaps, prepare a workforce plan, and identify competencies for a number of mission-critical occupations. OPM plans to complete this work in fiscal year 2021.

Action plan: partially met. BIA officials met with us numerous times in fiscal years 2019 and 2020 to discuss actions for implementing our recommendations related to Indian energy resources. However, the agency does not have a comprehensive plan in place to address the problems with oversight of its energy development activities or data limitations for timely leasing activities. BIA needs to develop such a plan with clear milestones.

Monitoring: partially met. BIA monitors its progress in implementing our recommendations and reports on this progress to Indian Affairs. However, BIA does not have well-defined performance measures or a process to monitor its oversight of energy development activities, which limits its ability to assess its progress.

Demonstrated progress: partially met. BIA has made progress with workforce capacity and agency coordination. For example, the recently formed Indian Energy Service Center assisted several field offices with backlogs in work associated with leasing and permitting for Indian energy development. It also hosted training on oil and gas development standard operating procedures for Interior employees.

The Indian Energy Service Center also established and coordinated meetings of six regional groups of federal agencies involved in Indian energy development to identify and resolve issues. However, more needs to be done to close open recommendations, as discussed below.

What Remains to Be Done

As of December 2020, four of the 12 recommendations in our 2019 High-Risk report remain open. BIA fully concurred with all four recommendations. For example, BIA needs to:
  • complete an assessment of the composition of its workforce and implement a comprehensive workforce planning system; and
  • develop a process to monitor its oversight of energy development activities and assess its progress.

Related GAO Products

Indian Health Service: Actions Needed to Improve Oversight of Provider Misconduct and Substandard Performance. GAO‑21‑97. Washington, D.C.: December 10, 2020.

Indian Health Service: Actions Needed to Improve Oversight of Federal Facilities’ Decision Making About the Use of Funds. GAO‑21‑20. Washington, D.C.: November 12, 2020.

Indian Education: Actions Needed to Ensure Students with Disabilities Receive Special Education Services. GAO‑20‑358. Washington, D.C.: May 22, 2020.

Indian Health Service: Facilities Reported Expanding Services Following Increases in Health Insurance Coverage and Collections. GAO‑19‑612. Washington, D.C.: September 3, 2019.

VA and Indian Health Service: Actions Needed to Strengthen Oversight and Coordination of Health Care for American Indian and Alaska Native Veterans. GAO‑19‑291. Washington, D.C.: March 21, 2019.

Decennial Census

The Census Bureau implemented new technologies and other innovations for the 2020 Census, but also made a series of late design changes, such as delaying operations in response to COVID-19, that put the quality of the census at risk. Evaluations of innovations and late design changes are critical for 2030 Census planning.

Why Area Is High Risk

The U.S. census is mandated by the Constitution and provides vital data for the nation. Census data are used, among other purposes, to apportion the seats of the U.S. House of Representatives; redraw congressional districts in each state; and allocate billions of dollars each year in federal financial assistance.

Through 2023, the 2020 Census is estimated to cost approximately $15.6 billion after adjusting for inflation. To achieve cost savings, the Bureau implemented several new innovations including the development of new and modified IT systems. However, these innovations were not fully tested as budget uncertainty caused the Bureau to scale back testing in 2017 and 2018.

The 2020 Decennial Census was first added in 2017 as a high-risk area. Moreover, both the 2000 and 2010 Censuses were high-risk areas. For this update, we are changing the name of the high-risk area because risks continue beyond 2020 and may threaten the 2030 Census.

In March 2020, COVID-19 caused the Bureau to delay its 2020 operations and when the Bureau resumed operations in May 2020, it faced a new set of operational and public safety challenges. These delays, the resulting compressed time frames, and continued uncertainty over COVID-19 had the potential to undermine the overall quality of the count.

Contact Information

For additional information about this high-risk area, contact J. Christopher Mihm at (202) 512-6806 or mihmj@gao.gov, or Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Since our 2019 High-Risk Report, ratings for the leadership commitment criterion regressed, and the other four remain unchanged.

Leadership commitment: partially met. The Coronavirus Disease 2019 (COVID-19) pandemic caused the Census Bureau to pause and delay several field data collection operations. For example, the Bureau delayed nonresponse follow-up, when the Bureau follows up with households that do not initially respond to the Census, by 3 months. Given this unexpected stop in operations, the Department of Commerce (Commerce) on April 13, 2020, requested a 4-month delay in delivering the apportionment numbers to the President—statutorily due by December 31, 2020—and sought legislative relief for the delay.

However, according to Bureau officials, Commerce directed the Bureau to plan for a census without legislative relief, and on August 3, 2020, the Bureau publicly announced it would deliver the apportionment numbers by December 31, 2020. According to senior Bureau officials, they were not consulted on the decision to change the date for delivering the apportionment numbers and had approximately 96 hours to develop a revised plan of operations without legislative relief.

To meet the statutory deadline, the Bureau shortened the time to collect data by 1 month and the response processing operation by approximately 2.5 months. Compressing these time frames, increased the risk to the accuracy and completeness of the census count.

Subsequently, this decision to shorten data collection time frames and deliver the apportionment numbers by December 31, 2020, was challenged in court. The Bureau ended field data collection on October 15, 2020, after the U.S. Supreme Court determined that it could do so, and began working on a timeline to deliver apportionment numbers. However, data anomalies found during the processing of census responses have delayed the delivery of apportionment numbers, which as of February 2021 had not been delivered to the President.

Moreover, during the summer of 2020, Commerce created four new political appointee positions at the Bureau—Deputy Director for Data, Deputy Director of Policy, Senior Advisor to the Deputy Director for Policy, and Counselor to the Director. Senior Bureau officials told us that it is unprecedented to create new senior-level political appointee positions during the decennial census and that the appointees’ roles in the 2020 Census were often not clear. On January 19, 2021, all four political appointees resigned, and on January 20, 2021, the Director of the Census Bureau retired.

Capacity: partially met. Before the COVID-19 outbreak, the Bureau had an estimated $2.03 billion in total unobligated contingency funds for 2020 operations. As of December 2020, the Bureau anticipated that these contingency funds will be more than sufficient to address both the initial COVID-19 response and design changes, estimating that the Bureau would still have at least $187 million in contingency funding.

To ensure its resources are effectively targeted for the 2030 Census, it will be important for the Bureau to follow both cost estimation and scheduling best practices. For example, the Bureau needs to implement our recommendation to improve the credibility of schedules for the 2030 Census. While we found the Bureau took steps toward conducting quantitative schedule risk analyses with its master activity schedule for the 2020 Census, it effectively ran out of time to do so. To ensure the Bureau has sufficient resources and time to complete all the activities for the 2030 Census, this recommendation will remain open.

Action plan: partially met. According to Bureau officials, in 2019 they began the planning for the 2030 Census. The focus of 2030 planning is to reduce risk during peak operations through the work done earlier in the decade. The Bureau has developed 5 guiding principles for 2030 Census planning:
  • follow disciplined management practices;
  • simplify designs, solutions, and methods;
  • distribute program work, resources, and costs more evenly across the census life-cycle;
  • minimize field data collection with alternative data sources wherever possible; and
  • manage stakeholder communications and expectations throughout the decade

However, in planning for 2030, the Bureau will not fully understand the quality of the data collected for 2020 until it completes all of its planned evaluations. The Bureau has a series of planned operational assessments, coverage measurement exercises, and data quality teams that are positioned to retrospectively study the effects of design changes made in response to COVID-19 on census data quality.

The Bureau is updating its plans for these efforts to examine the range of operational modifications made in response to COVID-19, including the August 2020 and later changes. We have previously noted that late design changes create increased risk for a quality census.

As part of the Bureau’s assessments, it will be important to address a number of concerns we identified about how late changes to the census design could affect data quality. These concerns include (1) how the altered time frames affected population counts during field data collection and (2) what effects, if any, compressed and streamlined post-data collection processing of census data may have on the Bureau’s ability to detect and fully address processing or other errors before releasing the apportionment and redistricting tabulations.

Over the next year, addressing these concerns and providing transparency over what is known and not yet known about census quality will help the Bureau increase public confidence in the quality and completeness of 2020 Census data products, despite all of the challenges the Bureau faced. These actions will also help inform future census planning efforts.

Monitoring: partially met. In looking forward to the next decennial census, senior Bureau officials told us they will build on lessons learned from 2020. For example, the Bureau actively monitored the COVID-19 pandemic and made necessary changes to census operations. Specifically, Bureau leadership used data to make real-time decisions about area census office re-openings during COVID-19.

However, as of January 2021, the Bureau continued to face uncertainty about schedules and plans related to disclosure avoidance for 2020 Census data products expected to be released starting in 2021. Disclosure avoidance protects the confidentiality of respondent data, especially at lower levels of geography.

According to the Bureau’s Chief Scientist, plans and schedules will need to be updated if the release dates for data products, such as redistricting data, change due to the operational impacts from COVID-19. In the fall of 2020, the agency had pushed some disclosure avoidance milestones from August 2020 to November 2020, due to schedule uncertainty and operational impacts from COVID-19.

Additionally, as of February 2021, the Bureau still needed to complete the IT testing and implementation activities required to support its post enumeration survey—a survey that is independent from the 2020 Census and intended to provide estimates of census quality. The Bureau plans to deploy the final systems to support its post enumeration survey by November 2021.

We previously reported on shortcomings in the Bureau’s management of the IT systems testing activities including, for example, being at risk of not meeting near-term milestones planned for completing system integration testing.

Demonstrated progress: partially met. In August 2019, the Bureau provided an update to the 2020 Census cost estimate, which we found to be sufficiently reliable. For example, the Bureau had implemented a system to track and report variances between actual and expected cost elements. Tools to track these variances are important because they enable management to measure progress against planned outcomes and prepare for 2030.

However, as of January 2021, a recommendation we made in April 2019 to identify and implement corrective actions within prescribed time frames for cybersecurity weaknesses had not been fully addressed. The Bureau had made some progress toward addressing this recommendation by reducing the number of corrective actions that it considered “high” or “very high” risk. Nevertheless, as of November 2020, 106 of the 174 total open “high” and “very high” risk corrective actions (about 61 percent) were delayed past their scheduled completion dates.

In December 2020, the Bureau’s information security officials attributed their current delays in addressing the corrective actions to technical challenges and dependencies between systems. According to those officials, the Bureau conducts quarterly briefings with system and information security stakeholders to discuss in-depth the delayed corrective actions. However, cybersecurity will continue to be an area to watch as the Bureau processes data to be included in upcoming data products that are to be released starting in 2021.

What Remains to Be Done

As of January 2021, we have made 113 recommendations related to the 2020 Census, 20 of which have not been fully implemented. Commerce generally agreed with our recommendations and is taking steps to implement them. Moreover, in our April 2020 priority recommendation letter to Commerce we identified 10 recommendations as priorities, none of which have been fully implemented over the past year. To make continued progress for the 2030 Census it will be essential for the Bureau to
  • improve the credibility of schedules, including conducting a quantitative risk assessment;
  • update and implement its assessments to address data quality concerns we have identified, as well as any operational benefits;
  • address cybersecurity weaknesses in a timely manner; and
  • continue to address our recommendations, especially those designated priority recommendations.

Congressional Actions Needed

In 2019 and 2020, we testified in six congressional hearings focused on the preparations for and implementation of the decennial census. Going forward, continued oversight will be needed to ensure that 2020 Census evaluations are completed as scheduled and that the Bureau has the resources it needs to begin planning the 2030 Census. Moreover, given the importance of the decennial census to the nation, it will be imperative for Congress to provide oversight of early planning for the 2030 Census.

Related GAO Products

2020 Census: The Bureau Concluded Field Work but Uncertainty about Data Quality, Accuracy, and Protection Remains. GAO‑21‑206R. Washington, D.C.: December 9, 2020.

2020 Census: Census Bureau Needs to Ensure Transparency over Data Quality. GAO‑21‑262T. Washington, D.C.: December 3, 2020.

2020 Census: Census Bureau Needs to Assess Data Quality Concerns Stemming from Recent Design Changes. GAO‑21‑142. Washington, D.C.: December 3, 2020.

2020 Census: Key Areas for Attention Raised by Compressed Timeframes. GAO‑20‑720T. Washington, D.C.: September 10, 2020.

2020 Census: Recent Decision to Compress Census Timeframes Poses Additional Risks to an Accurate Count. GAO‑20‑671R. Washington, D.C.: August 27, 2020.

2020 Census: COVID-19 Presents Delays and Risks to Census Count. GAO‑20‑551R. Washington, D.C.: June 9, 2020.

2020 Census: Update on the Census Bureau's Implementation of Partnership and Outreach Activities. GAO‑20‑496. Washington, D.C.: May 13, 2020.

2020 Census: Bureau Generally Followed Its Plan for In-Field Address Canvassing. GAO‑20‑415. Washington, D.C.: March 12, 2020.

2020 Census: Operations Are Underway with Challenges Remaining. GAO‑20‑367T. Washington, D.C.: February 12, 2020.

2020 Census: Initial Enumeration Underway but Readiness for Upcoming Operations Is Mixed. GAO‑20‑368R. Washington, D.C.: February 12, 2020.

2020 Census: Changes Planned to Improve Data Quality. GAO‑20‑282. Washington, D.C.: December 20, 2019.

2020 Census: Status Update on Early Operations. GAO‑20‑111R. Washington, D.C.: October 31, 2019.

U.S. Government’s Environmental Liability

The federal government’s environmental liability is vast and growing, and a number of agencies—especially the Departments of Energy and Defense, which bear the bulk of this liability—need to address environmental risks, and monitor and report on this liability.

Why Area Is High Risk

The federal government's environmental liability will likely continue to grow even as billions are spent each year on cleanup efforts. For fiscal year 2019, the federal government's estimated environmental liability was $595.4 billion—up from $212 billion in fiscal year 1997 (the total liability for fiscal year 2020 was unavailable at the time this report was published). We added this area to our High-Risk List in 2017.

DOE is responsible for the largest share of the liability ($512 billion in fiscal year 2020), which is related primarily to retrieving, treating, and disposing of nuclear and hazardous waste. DOD is responsible for the second-largest share ($75 billion in fiscal year 2020), which is related primarily to environmental cleanup and restoration activities at or near its current and former installations. The remaining liability is shared among other agencies, including the Departments of Agriculture, Interior, Transportation, and Veterans Affairs, and NASA.

DOE’s liability grew by $7 billion in fiscal year 2020, primarily due to adjustments for inflation. Even with the increase, however, DOE’s cleanup responsibilities may be underestimated because government accounting standards for environmental liabilities only require agencies to report liability costs that can be reasonably estimated.

Contact Information

For additional information about this high-risk area, contact Nathan Anderson at (202) 512-3841 or andersonn@gao.gov.

Since our 2019 High-Risk Report, ratings in all five criteria remain unchanged.

Leadership commitment: partially met. As in 2019, federal agencies continue to partially meet this criterion. However, the Departments of Energy and Defense (DOE) and (DOD) have stalled in their efforts to focus more attention on their environmental liabilities.

Specifically, in the past 5 years, we have made 28 recommendations to DOE related to addressing and reducing its environmental liability, such as analyzing the root causes of its growing liability. DOE has yet to implement 26 of these 28 recommendations.

In addition, although DOE’s Office of Environmental Management developed a strategic vision in 2020 for the next decade of cleanup activities, it has not developed a strategic plan that incorporates the principles of risk-informed decision-making (i.e., an approach that helps agencies prioritize cleanup based on factors like cost and the risks to human health and the environment—which we outlined in September 2019). It also has yet to develop a method for tracking changes to its cleanup agreement requirements, as we reported in February 2019. Having these elements in place would better position DOE to effectively set priorities within and across its cleanup sites and direct its limited resources to address those priorities.

In November 2020, the DOD Inspector General found that DOD is unable to develop accurate estimates and account for environmental liabilities in accordance with accounting practices. Specifically, the Inspector General reported that DOD (1) is unable to substantiate the completeness and amount of its environmental liability estimate; and (2) has insufficient policies, procedures, and supporting documentation for developing and supporting its cost estimates, among other things.

Capacity: not met. Federal agencies have significant gaps in their ability to effectively address their current or future environmental liability. For instance, we found in March 2020 that federal agencies have identified at least 140,000 features at abandoned hardrock mines—such as unsecured tunnels and toxic waste piles—on lands managed by the Departments of Agriculture and the Interior. However, agency officials estimated there could be more than 390,000 abandoned hardrock mine features on federal lands that the agencies have yet to capture in their databases that could contribute to federal environmental liabilities. Federal and state officials cited availability of resources as a factor that limits efforts to address hazards at abandoned hardrock mines.

Similarly, we found in May 2020 that DOE’s Office of Legacy Management—which oversees long-term surveillance and maintenance at more than 100 former nuclear weapons production and energy research sites—has yet to plan for how to address challenges at some sites that may require new cleanup work outside the scope of the office’s expertise and resources.

We also found in November 2020 that DOE’s Office of Environmental Management has significant staffing shortages at its site office responsible for the Waste Isolation Pilot Plant in New Mexico. These shortages could affect the plant’s ability to remain on schedule for constructing additional disposal space. Also, any interruptions to waste shipments planned for disposal in the additional space could impair DOE’s ability to meet its cleanup milestones.

Action plan: not met. Neither DOE nor DOD has fully identified the causes of or developed a formal plan to address their growing environmental liability. DOE has taken initial steps toward a more risk-based approach to waste classification, such as initiating an effort in August 2020 to demonstrate the feasibility of its proposed interpretation of the statutory definition of high-level waste.

However, DOE continues to face challenges developing a cohesive action plan when addressing problems on its cleanup projects. For example, we found in February 2019 that DOE and its regulators have more than 70 agreements that contain hundreds of milestones for work at 16 cleanup sites, but that DOE has not conducted root cause analyses on missed or postponed milestones. Similarly, we found in September 2019 that DOE must treat more than a million gallons of waste at its Idaho National Laboratory, but initial testing of an on-site treatment facility revealed problems and DOE does not have a strategy or timeline to address them.

In October 2020, we reported that DOD had identified eight audit remediation priority areas to help guide and prioritize department-wide efforts. However, environmental liabilities is not one of the eight audit remediation priority areas identified, even though DOD’s Inspector General reported in 2020 that financial controls over environmental liabilities were lacking.

In addition, the lack of clarity about some cleanup standards may make it more difficult for federal agencies to develop plans. For example, the Environmental Protection Agency does not regulate certain emerging contaminants in drinking water, even as states have developed such standards. DOD and National Aeronautics and Space Administration (NASA) officials told us it is difficult to develop cleanup plans in the context of a varied and uncertain regulatory framework. While agencies may have to address stricter state standards, federal regulations would establish a regulatory floor for planning purposes.

Monitoring: not met. DOE and DOD do not have the information they need to monitor the effectiveness of their actions to address their environmental liabilities. DOE continues to struggle to develop reliable cost estimates and schedules for its cleanup efforts.

For example, we found in December 2019 that DOE’s Office of Environmental Management does not consistently track expenditures for cleanup activities across its three gaseous diffusion plants, which impedes its ability to develop reliable cost estimates. DOE’s 2019 report to Congress on the status of the fund to clean up these plants was based on outdated data and underestimates cleanup costs by about $20 billion.

In addition, we found in reviews conducted in 2019 and 2020 that DOE’s cost and schedule estimates for several cleanup projects were unreliable, which affects the accuracy of reported liabilities.

Additionally, the DOD Inspector General’s November 2020 financial audit found that DOD has not implemented a department-wide environmental liabilities calculation methodology. As a result of this lack of controls, DOD changed its estimated date for having a corrected environmental liability estimate from fiscal year 2021 to fiscal year 2025. In contrast, NASA—which holds less than 1 percent of the U.S. government’s environmental liabilities—tracks its environmental liability through a database of ongoing and potential future remediation projects, which includes information on estimated costs and uncertainties.

Demonstrated progress: not met. The federal government’s environmental liability, driven largely by DOE’s cleanup costs, continues to grow (see figure 8). DOE has made progress at some sites and is at or near completion for several important cleanup projects—such as the construction of the Salt Waste Processing Facility at the Savannah River Site which has been under construction for nearly 16 years.

In addition, DOE contracted with a federally funded research and development center, which issued a report in October 2019 on options for treating supplemental low-activity waste at the Hanford Site. We previously found that, if given authority by Congress to manage this waste as other than high-level waste, DOE could potentially save billions of dollars by using alternate treatment methods. In a December 2020 report, DOE acknowledged that it could save up to $230 billion by taking these actions that we have recommended.

However, DOE continues to face significant cost and schedule challenges with other projects and activities, such as the Waste Treatment Plant construction project at the Hanford Site. This cleanup project, which is DOE’s largest and most expensive, began in 2000 and has cost more than $11 billion to date. Since work stopped on much of the facility in 2012 to address technical challenges, DOE has spent $752 million (as of fiscal year 2018), mostly to preserve and maintain the site, and another $400 million pursuing alternatives. However, DOE has not used the best available methods to determine which alternative to pursue.

Similarly, DOD’s liability has remained largely unchanged in recent years despite DOD spending billions on environmental cleanup projects. DOE and DOD need to do more to demonstrate progress toward fully identifying, reporting, and developing a plan to address their environmental liabilities.

Figure 8: U.S. Government’s Environmental Liability, Fiscal Years 2015-19

What Remains to Be Done

As of December 2020, 38 of our recommendations related to this high-risk area—of which 22 were made since 2019—had not been implemented. Of these recommendations, 31 pertain to either DOE or DOD and include the following:
  • DOE should develop a program-wide strategy for implementing its cleanup agreements and a framework for incorporating risk-informed decisions.
  • DOE should conduct root cause analyses of missed or postponed milestones.
  • DOD should address deficiencies in its ability to substantiate the completeness and amount of its environmental liability estimate.

Congressional Actions Needed

Congress should consider clarifying DOE’s authority at the Hanford site to determine whether portions of the supplemental low-activity waste can be managed as other than high-level waste. Providing clear authority to DOE may allow it to use alternative waste treatment approaches to treat the Hanford Site’s supplemental low-activity waste, which could reduce certain risks by neutralizing the waste faster and save tens of billions of dollars.

Related GAO Products

Environmental Liabilities: NASA’s Reported Liabilities Have Grown, and Several Factors Contribute to Future Uncertainties. GAO‑21‑205. Washington, D.C.: January 15, 2021.

Nuclear Waste Disposal: Better Planning Needed to Avoid Potential Disruptions at Waste Isolation Pilot Plant. GAO‑21‑48. Washington. D.C.: November 19, 2020.

Environmental Liabilities: DOE Needs to Better Plan for Post-Cleanup Challenges Facing Sites. GAO‑20‑373. Washington, D.C.: May 13, 2020.

Hanford Waste Treatment Plant: DOE Is Pursuing Pretreatment Alternatives, but Its Strategy Is Unclear While Costs Continue to Rise. GAO‑20‑363. Washington, D.C.: May 12, 2020.

Abandoned Hardrock Mines: Information on Number of Mines, Expenditures, and Factors That Limit Efforts to Address Hazards. GAO‑20‑238. Washington, D.C.: March 5, 2020.

Environmental Liabilities: DOE Would Benefit from Incorporating Risk-Informed Decision-Making into Its Cleanup Policy. GAO‑19‑339. Washington, D.C.: September 18, 2019.

Nuclear Waste Cleanup: DOE Faces Project Management and Disposal Challenges with High-Level Waste at Idaho National Laboratory. GAO‑19‑494. Washington, D.C.: September 9, 2019.

Nuclear Waste Cleanup: DOE Could Improve Program and Project Management by Better Classifying Work and Following Leading Practices. GAO‑19‑223. Washington, D.C.: February 19, 2019.

Nuclear Waste: DOE Should Take Actions to Improve Oversight of Cleanup Milestones. GAO‑19‑207. Washington, D.C.: February 14, 2019.

Department of Energy: Program-Wide Strategy and Better Reporting Needed to Address Growing Environmental Cleanup Liability. GAO‑19‑28. Washington, D.C.: January 29, 2019.

Emergency Loans for Small Businesses

The Small Business Administration (SBA) must show stronger program integrity controls and better management over the Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL), which includes ensuring only eligible businesses receive assistance.

Why Area Is High Risk

Between March and December 2020, SBA made or guaranteed more than 14.7 million loans and grants through PPP and EIDL, providing about $744 billion in emergency funding to help small businesses. Congress appropriated an additional $284 billion for PPP and $20 billion for targeted EIDL advances in December 2020.

The CARES Act created PPP. These loans have a 1 percent interest rate and terms of 2 or 5 years. Borrowers may have their loans fully forgiven if certain conditions are met.

Similarly, the CARES Act expanded eligibility for EIDL and created a new $10,000 advance. Borrowers do not have to repay advances.

To respond to the adverse economic conditions small businesses faced, SBA quickly set up or expanded these programs. However, the speed with which they were implemented left SBA susceptible to improper payments—making payments in an incorrect amount or that should not have been made at all. There have been reports of fraud in both programs, although the full extent is not yet known.

In a December 2020 report, SBA’s financial statement auditor identified several material weaknesses in controls associated with the two programs, including weaknesses in SBA’s loan approval processes that led to loans going to potentially ineligible borrowers.

Contact Information

For additional information about this high-risk area, contact William B. Shear at (202) 512-8678 or shearw@gao.gov.

SBA made or guaranteed billions of dollars in emergency loans and grants quickly to help many small businesses in need. However, we are adding Emergency Loans for Small Businesses as a new high-risk area because of the limited controls built into the PPP and EIDL approval processes. Although this created the risk of hundreds of millions of dollars in improper payments, including those resulting from fraud, SBA lacks finalized plans to oversee the two programs.

Further, as we have reported multiple times, SBA’s failures to provide data and documentation on a timely basis for PPP and EIDL have impeded efforts to ensure transparency and accountability for the programs. This includes delays in obtaining key information from SBA, such as detailed oversight plans and documentation for estimating improper payments.

Lack of safeguards and finalized oversight plans. Given the immediate need for emergency funding, SBA implemented limited safeguards for approving PPP and EIDL loans and lacks finalized plans to oversee the two programs after loan approval, including PPP loan forgiveness.

In June 2020, we reported that SBA’s initial interim final rule for PPP allows lenders to rely on borrower’s certifying their eligibility and the use of loan proceeds. It also requires a limited review of documents provided by the borrower to determine the qualifying loan amount and eligibility for loan forgiveness. We noted that reliance on borrower self-certifications can leave a program vulnerable to exploitation by those who wish to circumvent eligibility requirements or pursue criminal activities.

We also reported that because SBA had limited time to implement safeguards for the PPP loan approval process and assess program risks, ongoing oversight would be crucial. At that time, SBA had announced that it would review loans of more than $2 million to confirm borrower eligibility after the borrower applied for loan forgiveness and that it may review any PPP loan it deemed appropriate.

However, SBA provided few details on these reviews. Therefore, we recommended that SBA develop and implement plans to identify and respond to risks in PPP to ensure program integrity, achieve program effectiveness, and address potential fraud, including in loans of $2 million or less.

In early December 2020, SBA officials said the agency had completed oversight plans and provided a document that SBA characterized as an overview of these plans. At that time, the agency had not yet finalized and provided more comprehensive documentation detailing its oversight plans and how it will implement them.

At the end of December 2020, SBA provided a draft Master Review Plan for the loan review process, but the document we received did not contain detailed policies and procedures for some loan reviews or loan forgiveness reviews as we had previously requested. According to SBA officials, these were in the process of being updated. Until we receive detailed documentation and can review the procedures and checklists that are being used in the review process, we cannot more fully evaluate SBA’s process.

Consistent with our recommendation, in December 2020 Congress passed legislation requiring SBA to submit to the Senate and House Small Business Committees an audit plan detailing the policies and procedures for conducting forgiveness reviews and audits of PPP loans within 45 days of enactment and to provide monthly updates thereafter.

The same legislation also requires SBA to respond to requests from GAO within 15 days (or such later date as the Comptroller General may provide) or report to Congress on the reasons for the delay. In addition, it appropriated about $284 billion for PPP. Borrowers who have already received a loan may obtain a second one if they meet certain conditions, such as having used the full amount of their first PPP loan. New first-time borrowers may also apply for PPP loans under the act.

The CARES Act also relaxed some approval requirements for EIDL, such as requiring the applicant to demonstrate that it could not obtain credit elsewhere, and made certain agricultural businesses eligible. In January 2021, we reported that as of July 14, 2020, SBA had provided about 5,000 advances totaling about $26 million to potentially ineligible businesses in three types of industries—adult entertainment, casino gambling, and marijuana retail.

Additionally, we reported that as of September 30, 2020, SBA approved at least 3,000 loans totaling about $156 million to potentially ineligible businesses that SBA policies state were ineligible for the EIDL program, such as real estate developers and multilevel marketers. SBA officials said that the CARES Act permitted businesses to self-certify their eligibility for EIDL loans and advances.

Therefore, we recommended in January 2021 that to improve SBA’s oversight of its EIDL approval process, SBA should develop and implement portfolio-level data analytics across EIDL loans and advances made in response to Coronavirus Disease 2019 (COVID-19) as a means to detect potentially ineligible and fraudulent applications.

SBA neither agreed nor disagreed with our recommendation. SBA took issue with our finding that potentially ineligible businesses received EIDL advances and loans. SBA stated that CARES Act provisions permitted businesses to self-certify their eligibility and that applicants could not proceed until they certified that they were not engaged in any of the prohibited activities. The agency also stated that a business being in one of the categories we deemed ineligible did not automatically mean the business was ineligible. However, we did not state that the businesses were automatically ineligible.

SBA also referred to actions the agency takes to make sure ineligible businesses do not receive EIDL loans and advances, such as manual review of applications from businesses in prohibited categories, but did not state any plans to conduct data analytics to identify potential ineligible businesses. We maintain that portfolio-level data analytics could help SBA improve its management of fraud risk.

In December 2020, Congress appropriated an additional $20 billion for targeted EIDL advances. The advances are restricted to certain eligible companies that are located in low-income communities, have suffered an economic loss of more than 30 percent, and have no more than 300 employees. Congress also required SBA to perform eligibility verification for advances and permitted SBA to require additional information from applicants, such as tax returns, for loans and advances as part of its verification.

Risk of improper payments and fraud. The limited safeguards when approving PPP and EIDL loans may have increased SBA’s susceptibility to improper payments and fraud.

As we reported in November 2020, it is especially important for agencies with large appropriated amounts, like SBA, to quickly estimate their improper payments, identify root causes, and develop corrective actions when there are concerns about the possibility that improper payments, including those resulting from fraudulent activity, could be widespread.

Because SBA had not done so for PPP, we recommended that SBA expeditiously estimate improper payments and report estimates and error rates for PPP due to concerns about the possibility that improper payments, including those resulting from fraudulent activity, could be widespread. In December 2020, SBA stated that it was planning to estimate improper payments for PPP and that it works to minimize them in its loan programs. However, as of that date the agency had not provided documentation of its plans for testing, including estimates of improper payments and error rates for PPP.

In January 2021, we reported on potentially suspicious activity in the PPP and EIDL programs. Between May and October 2020, financial institutions filed more than 21,000 and 20,000 suspicious activity reports (SAR) related to PPP and EIDL, respectively, with the Financial Crimes Enforcement Network (FinCEN). More than 1,400 institutions had filed SARs related to PPP, and more than 900 institutions had filed SARs related to EIDL.

According to FinCEN officials, these financial transactions involved questionable activity and potential fraud committed by PPP and EIDL loan recipients, such as the rapid movement of funds, and possible identity theft and forgeries. Law enforcement agencies use these reports to help support investigations, such as those related to PPP or EIDL.

In addition to suspicious activity reported by financial institutions, the Department of Justice (DOJ) has publicly announced charges in more than 90 cases related to PPP and EIDL. The charges—filed across the U.S. and investigated by a range of law enforcement agencies—include allegations of making false statements and engaging in identity theft, wire and bank fraud, and money laundering. As of November 2020, DOJ estimated that the defendants in the PPP-related cases sought more than $260 million from PPP.

Moreover, in October 2020, the SBA Office of Inspector General (OIG) reported that its preliminary review revealed strong indicators of widespread potential fraud in the EIDL program. According to the report, the OIG and other law enforcement agencies had seized over $450 million from over 15,000 fraudulent EIDL loans. According to SBA officials, they are working with law enforcement, such as the SBA OIG, to support data requests and make referrals for potential investigation.

Inability to support its accounting and related controls. In December 2020, SBA’s independent financial statement auditor issued a disclaimer of opinion on SBA’s consolidated financial statements as of and for the year ended September 30, 2020, meaning the auditor was unable to express an opinion due to insufficient evidence. As the basis for the disclaimer, the auditor stated that SBA was unable to provide adequate documentation to support a significant number of transactions and account balances related to PPP and EIDL due to inadequate processes and controls.

The auditor identified several material weaknesses in controls related to SBA’s CARES Act programs, including PPP and EIDL. In total, the auditor identified seven material weaknesses related to the following areas: (1) PPP loan approvals, (2) PPP reporting, (3) PPP cost estimates, (4) EIDL loans and advance approvals, (5) EIDL contractor oversight, (6) PPP and other loan guarantee program contractor oversight, (7) overall management controls (e.g., ineffective control environment, risk assessment processes, control activities, information and communication processes, and monitoring processes). Overall, the auditor made 46 recommendations to SBA management. In commenting on the audit, SBA stated it supports the requirements for auditability of its financial statements and is working to correct shortcomings for future audits.

In its discussion of material weaknesses related to PPP, the auditor noted there were over 2 million approved PPP loans (with an approximate total value of $189 billion) flagged by management that are potentially not in conformance with the CARES Act and related legislation. The loans were flagged for one or more of 35 reasons (such as borrower with criminal record or inactive business). In addition, the auditor found that SBA reported approximately $6 billion of PPP loans approved but not disbursed due to unsubmitted or unprocessed reports from lenders. The audit noted there were over 896,000 errors from lender reporting that were identified but not reviewed or processed. The auditor recommended, among other things, that SBA review loans with incomplete or inaccurate reporting and update records as appropriate.

In its discussion of material weaknesses related to EIDL loans and advances, the auditor noted that there were a total of over 6,000 approved and disbursed loans (with a total value of over $212 million) flagged within the loan repository system that were issued to potentially ineligible borrowers. In addition, management noted that adequate controls were not designed and implemented to determine that fraud alerts raised in SBA’s lending portal were sufficiently addressed before loans were approved. The auditor noted SBA management did not have adequate procedures and controls implemented to address certain alerts—such as those triggered when a bank account or routing number could not be verified or when a public records search could not find a business. The auditor recommended, among other things, that SBA perform a thorough review of EIDL loans and advances to identify those not in conformance with the CARES Act and related legislation.

In its discussion of the weaknesses related to overall management controls, the auditor noted deficiencies within all components of internal control. The auditor noted the weaknesses were primarily caused by the prioritization and the urgent need to implement the provisions of the CARES Act and related legislation as quickly and efficiently as possible over internal control processes. The auditor recommended, among other things, that SBA perform and document a thorough risk assessment, develop and implement monitoring controls, and document the internal controls related to implementation of the CARES Act and related legislation.

What Remains to Be Done

Since June 2020, we have made three recommendations to SBA regarding PPP and EIDL. SBA should
  • develop and implement plans to identify and respond to risks in PPP to ensure program integrity, achieve program effectiveness, and address potential fraud, including in loans of $2 million or less;
  • estimate improper payments and report estimates and error rates for PPP; and
  • develop and implement portfolio-level data analytics across EIDL loans and advances made in response to COVID-19 as a means to detect potentially ineligible and fraudulent applications.

In addition, in December 2020 SBA’s financial statement auditor made several recommendations to SBA on PPP and EIDL. It will be important for SBA to implement effective corrective actions to address recommendations from its financial statement audit, including those related to loan approvals and contractor oversight. We are adding Emergency Loans for Small Businesses as a new high-risk area because of the limited controls built into the PPP and EIDL approval processes, the related risk of hundreds of millions of dollars in improper payments, and the consequent need for greater program integrity and better management.

Related GAO Products

COVID-19: Critical Vaccine Distribution, Supply Chain, Program Integrity, and Other Challenges Require Focused Federal Attention. GAO‑21‑265. Washington, D.C.: January 28, 2021.

COVID-19: Urgent Actions Needed to Better Ensure an Effective Federal Response. GAO‑21‑191. Washington, D.C.: November 30, 2020.

Small Business Administration: COVID-19 Loans Lack Controls and Are Susceptible to Fraud. GAO‑21‑117T. Washington, D.C.: October 1, 2020.

COVID-19: Federal Efforts Could Be Strengthened by Timely and Concerted Actions. GAO‑20‑701. Washington, D.C.: September 21, 2020.

COVID-19: Brief Update on Initial Federal Response to the Pandemic. GAO‑20‑708. Washington, D.C.: August 31, 2020.

COVID-19: Opportunities to Improve Federal Response and Recovery Efforts. GAO‑20‑625. Washington, D.C.: June 25, 2020.

DOD Weapon Systems Acquisition

The Department of Defense can better ensure that its sizeable weapon systems investment will help yield a decisive and sustained U.S. military advantage by following knowledge-based practices and developing a plan to monitor recent acquisition reforms.

Why Area Is High Risk

In June 2020, we reported that DOD expects to invest about $1.8 trillion to acquire 106 new weapon systems. Congress and DOD have long sought to improve how DOD acquires these systems, yet many programs continue to fall short of cost, schedule, and performance goals. We added this area to our High-Risk List in 1990.

These challenges occur in an era when programs are more software driven than ever before and face global cybersecurity threats. However, software development continues to be a stumbling block for programs, and DOD has made only limited progress in addressing cybersecurity vulnerabilities.

A number of other issues could also affect DOD’s ability to keep pace with evolving threats, such as the ability to develop innovative technologies and the capabilities of the defense industrial base.

DOD is implementing significant changes in an effort to improve weapon system outcomes. However, considerable work remains, and until it is completed, DOD’s ability to quickly deliver capabilities to the warfighter is hindered.

Contact Information

For additional information about this high-risk area, contact Shelby S. Oakley, Director, Contracting and National Security Acquisitions at (202) 512-4841 or oakleys@gao.gov.

Since our 2019 High-Risk Report, our assessment of the Department of Defense’s (DOD) performance against our five criteria remains unchanged.

Leadership commitment: met. DOD continues to demonstrate a strong commitment, at the highest levels, to improving the management of its weapon system acquisitions. However, to sustain the met rating for this criterion, DOD will need to ensure it follows through to complete the implementation of new initiatives. It will also need to address leadership-related recommendations.

Since March 2019, DOD leadership has recognized the evolving challenges the department faces in fielding weapon systems that meet warfighter needs and has consistently taken steps to address them.

In June 2019, we reported that DOD made progress in implementing reforms to restructure the oversight of major defense acquisition programs, including shifting decision-making authority for many programs from the Office of the Secretary of Defense to military departments.

In 2020, DOD reissued its foundational acquisition guidance, emphasizing speed and agility in the acquisition process. The new guidance includes six acquisition pathways based on the characteristics and risk profile of the system being acquired. DOD has also issued supplemental guidance for these pathways and the functions that support them, such as cybersecurity and test and evaluation.

The guidance includes an increased focus on software development and cybersecurity practices that DOD leadership and others have recognized as a particular risk area for the department’s weapons system programs.

DOD leadership has also continued to make progress in clearly defining roles and responsibilities for acquisition oversight. In June 2019, we reported that DOD needed continued leadership attention to address challenges with implementing acquisition oversight reforms, including disagreements between the Office of the Secretary of Defense and the military departments about acquisition oversight roles. Subsequently, the Deputy Secretary of Defense issued a memorandum in December 2019 to define roles for acquisition oversight.

In July 2020, the department issued charters for the Under Secretaries of Defense for Research and Engineering and Acquisition and Sustainment. These two new offices responsible for acquisition oversight were created in response to congressional direction. The charters should help to further clarify roles and responsibilities.

However, work still remains at both the Office of the Secretary of Defense and military department levels to complete the development and implementation of acquisition policies. According to officials from the Office of the Under Secretary of Defense for Acquisition and Sustainment, (1) the military departments will also need to update their policies to align with department-wide policies, and (2) the department will need to develop streamlined processes and tools to support the effective implementation of the newly-issued policies.

In June 2019 we reiterated the importance of recommendations we originally made in 2015 to clarify and strengthen roles and responsibilities at the enterprise level for making portfolio management decisions. These recommendations aim to ensure that DOD’s investments are strategy driven, affordable, and balance near- and long-term needs. We noted that these recommendations may take on more importance for DOD in light of the implementation of acquisition reforms that will further diffuse responsibility for initiating and overseeing acquisition programs, but DOD has yet to implement them.

Capacity: partially met. In reshaping its acquisition organization to emphasize speed and agility, DOD acknowledged the importance of the acquisition workforce and took steps to increase its hiring and training for that workforce. DOD has made sufficient progress in addressing overall acquisition workforce shortfalls such that we have removed that issue from our Contract Management high-risk area this year.

However, since our last High-Risk Report in 2019, we and others reported on capacity challenges related to weapon system acquisition specifically. In June 2019, we reported that DOD faced challenges in filling vacancies in the Offices of the Under Secretaries of Defense for Research and Engineering and Acquisition and Sustainment, as well as gaps in skill sets such as data analytics that are critical to acquisition oversight.

In June 2020, we reported that many major defense acquisition programs reported difficulty in hiring software development staff with the required expertise and in time to complete the required work. DOD has taken initial steps to implement a statutory requirement to establish software development and acquisition training and management programs, but, according to a review by the Defense Innovation Board in March 2020, implementation is still in a formative stage.

With regard to cybersecurity, DOD’s Director, Operational Test and Evaluation reported in December 2019 that the department lacked testing personnel with deep cybersecurity expertise and stated that without substantial improvements in cybersecurity test and evaluation, especially in the workforce, DOD risks lowering overall force readiness and lethality.

Multiple reports we published between August 2015 and April 2020 indicate that DOD needs to enhance its acquisition policies in a number of areas. These areas include (1) ensuring that program cost estimates better conform to leading practices, (2) improving reliability and sustainment planning early in the acquisition process, (3) strengthening coordination and processes for portfolio management, and (4) improving the science and technology management framework to apply leading practices and encourage innovation.

Action plan: partially met. Since our last High-Risk Report in 2019, DOD began implementing planned actions to improve acquisition outcomes, including developing and issuing guidance for six new acquisition pathways under its adaptive acquisition framework. However, the department has yet to develop detailed plans for how it will assess whether the new acquisition pathways achieve intended outcomes, including the applicability of metrics to each pathway.

Additionally, because of changes to its annual performance reporting, DOD may have less insight than it had in the past into root causes of cost or schedule growth to allow it to develop effective action plans. From 2013 to 2016, DOD assessed and reported publicly on its acquisition performance across its full portfolio of programs, including analysis of causative factors. However, DOD’s reporting from 2017 onward includes only limited analysis of program cost and schedule performance and does not analyze causative factors.

While DOD began implementing actions for certain software and cybersecurity challenges, it is still developing implementation plans and policies for others. In response to numerous recommendations made in 2018 by the Defense Science Board and in 2019 by the Defense Innovation Board related to the implementation of leading software practices, DOD made certain existing software development capabilities available enterprise-wide and created working groups to address related workforce issues.

However, DOD is still analyzing how it will address a Defense Science Board recommendation related to machine learning in defense systems, which the board identified as a complicating factor for software acquisitions. Similarly, while we reported in October 2018 that DOD began initiatives to better understand and address cybersecurity vulnerabilities, as of December 2020 according to DOD officials, DOD is still developing and implementing policies in support of its Risk Management Framework approach to cybersecurity in weapons system acquisition.

Monitoring: partially met. The Under Secretary of Defense for Acquisition and Sustainment stated her commitment to conduct data-driven oversight of acquisition programs. Nearly all of these programs are now managed at the military department level instead of the Office of the Secretary of Defense level in part due to a fiscal year 2016 statutory reform. DOD has made progress in developing its approach to this type of oversight, such as completing data strategies for some acquisition pathways.

In June 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment announced plans to adopt a data and analytics strategy to facilitate data-driven oversight, which the Under Secretary’s office and the military departments are developing together.

This effort could help to address disagreements that we reported on in June 2019 between the Office of the Secretary of Defense and military departments about the amount of program information that military departments should be required to provide to the Office of the Secretary of Defense for certain programs. DOD emphasized the importance of resolving these disagreements in a November 2020 report to Congress in which it noted that ensuring data transparency across the DOD components was a challenge to improving acquisition data.

The department also has yet to take several actions we have recommended in the past to improve the availability and quality of data needed for effective monitoring. For example, in June 2019, we recommended that DOD develop a plan to assess recent acquisition reforms and to identify the necessary data. However, DOD has yet to determine how it will monitor most of the reforms we reviewed.

We also reported on continued challenges with data reliability for one of DOD’s new acquisition pathways—middle-tier acquisition—that is intended to deliver capabilities to the warfighter within 2 to 5 years. In our June 2020 assessment of DOD’s weapon system programs, we observed inconsistent cost reporting and wide variation in schedule metrics across these programs. These issues pose oversight challenges for Office of the Secretary of Defense and military department leaders trying to assess performance of these programs.

We and others also identified challenges with regard to DOD’s efforts to monitor software development efforts. For example, we reported in June 2020 that some weapon system programs did not submit required reports on software development efforts needed to prepare acquisition and life-cycle cost estimates.

Additionally, the Defense Innovation Board reported on several deficiencies with DOD’s software development metrics in May 2019. A working group comprised of DOD and industry officials recommended approaches to monitoring software development efforts in April 2020, but it is too soon to tell whether these approaches will be effective.

Demonstrated progress: partially met. In 2019, we identified a cost avoidance totaling $136 billion in procurement funding DOD realized from 2013 to 2018 after reforming business case and cost estimate practices. In 2019 and 2020, we reported a statistical correlation of lower cost and schedule growth for major defense acquisition programs that consistently implemented specific knowledge-based acquisition practices, such as maturing critical technologies and conducting preliminary design reviews prior to starting development.

These analyses provide evidence that DOD can reduce its cost and schedule growth by consistently implementing knowledge-based acquisition practices. However, our June 2020 assessment of DOD’s weapon systems still shows DOD’s inconsistent implementation of knowledge-based acquisition practices, even among its newer programs.

Programs also show extensive cost and schedule growth from their initial cost and schedule baselines, much of which is unrelated to the increase in quantities purchased.

DOD took significant steps in the past few years to implement acquisition reforms and to issue new guidance. These steps aim to streamline the acquisition process to help deliver capabilities faster and to improve software approaches and cybersecurity practices. It is likely too early to see effects of these reforms on the cost, schedule, and performance of the department’s weapon system acquisition programs.

Until DOD determines its action plan and ensures the availability and quality of data needed for monitoring, DOD and Congress cannot be sure whether the new reforms and policies are leading to the intended results.

What Remains to Be Done

Since we added this area to our High-Risk List in 1990, we have made hundreds of related recommendations. As of December 2020, 114 recommendations remain open, 56 of which we made since the last High-Risk Report in March 2019. To show a continued commitment to improving its weapon systems outcomes, DOD should implement our open recommendations including the following:
  • Improve DOD’s ability to manage its portfolio by (1) requiring annual enterprise-level portfolio reviews that incorporate requirements, acquisition, and budget processes; (2) directing appropriate department staff to collaborate on their data needs; and (3) incorporating lessons learned from military service portfolio reviews and portfolio management activities, such as using multiple risk and funding scenarios to assess needs and reevaluate priorities.
  • Determine (1) the metrics needed to assess middle-tier acquisition and acquisition programs other than major defense acquisition programs’ cost and schedule performance; and (2) how reliable data will be collected and shared between the services and the department to facilitate oversight.
  • Implement several recommendations to individual programs related to knowledge-based acquisition practices including (1) fully maturing critical technologies prior to starting development; (2) ensuring program cost estimates are fully compliant with best practices including cost risk assessments; and (3) employing reliability and sustainment planning early in a program’s development to ensure realistic reliability requirements and that sustainment cost targets are met.
  • Implement numerous recommendations to individual military departments and DOD components related to improving acquisition cost, schedule, and performance.
  • Implement guidance for software development that provides specific, required direction on when and how often to involve users early in the development process and to continue involving users through development of related program components.
  • Implement leading practices for managing science and technology programs.

Related GAO Products

Columbia Class Submarine: Delivery Hinges on Timely and Quality Materials from an Atrophied Supplier Base. GAO‑21‑257. Washington, D.C.: January 14, 2021.

Defense Science and Technology: Opportunities to Better Integrate Industry Independent Research and Development into DOD Planning. GAO‑20‑578. Washington, D.C.: September 3, 2020.

Defense Acquisitions Annual Assessment: Drive to Deliver Capabilities Faster Increases the Importance of Program Knowledge and Consistent Data for Oversight. GAO‑20‑439. Washington, D.C.: June 3, 2020.

F-35 Joint Strike Fighter: Actions Needed to Address Manufacturing and Modernization Risks. GAO‑20‑339. Washington, D.C.: May 12, 2020.

Navy Shipbuilding: Increasing Focus on Sustainment Early in the Acquisition Process Could Save Billions. GAO‑20‑2. Washington, D.C.: March 24, 2020.

Space Command and Control: Comprehensive Planning and Oversight Could Help DOD Acquire Critical Capabilities and Address Challenges. GAO‑20‑146. Washington, D.C.: October 30, 2019.

Army Modernization: Army Futures Command Should Take Steps to Improve Small Business Engagement for Research and Development. GAO‑19‑511. Washington, D.C.: July 17, 2019.

DOD Acquisition Reform: Leadership Attention Needed to Effectively Implement Changes to Acquisition Oversight. GAO‑19‑439. Washington, D.C.: June 5, 2019.

Weapon Systems Annual Assessment: Limited Use of Knowledge-Based Practices Continues to Undercut DOD's Investments. GAO‑19‑336SP. Washington, D.C.: May 7, 2019.

Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities. GAO‑19‑128. Washington, D.C.: October 9, 2018.

DOD Financial Management

The Department of Defense needs to continue to improve its information systems controls, action plans, and monitoring efforts to produce reliable, useful, and timely financial information for decision makers.

Why Area Is High Risk

DOD’s financial management continues to face long-standing issues—including its ineffective processes, systems, and controls; incomplete corrective action plans; and the need for more effective monitoring and reporting.

DOD financial management has been on our High-Risk List since 1995. Although DOD’s spending makes up about half of the federal government’s discretionary spending, and its physical assets represent more than 70 percent of the federal government’s physical assets, it remains the only major agency that has never been able to accurately account for and report on its spending or physical assets.

DOD’s financial management issues extend beyond financial reporting as long-standing control deficiencies adversely affect the economy, efficiency, and effectiveness of its operations.

Sound financial management practices and reliable, useful, and timely financial and performance information would help ensure DOD’s accountability over its extensive resources and more efficient management of its assets and budgets.

DOD’s approach to addressing these management challenges is to correct the issues identified by its auditors, and downgrade or eliminate material weaknesses.

Contact Information

For additional information about this high-risk area, contact Asif Khan, (202) 512-9869, khana@gao.gov.

Since our 2019 High-Risk List, the Department of Defense (DOD) has made progress to partially meet the criterion of demonstrated progress. The other four criteria remain unchanged.

The Coronavirus Disease 2019 (COVID-19) pandemic altered the timing and scope of the fiscal year 2020 financial statement audits, and affected DOD components’ ability to complete audit remediation activities. DOD continues to assess the overall effect COVID-19 is having on its efforts to improve financial management at the department.

Leadership commitment: met. Since our 2019 High-Risk Report, DOD leadership continued its commitment to financial management improvements by (1) implementing a database that tracks thousands of financial statement audit findings; (2) including financial statement audit issues in the Secretary of Defense’s broader reform agenda; and (3) providing information about DOD’s strategic financial management transformation efforts, audit remediation progress, and audit metrics at meetings with (or in reports to) Congress, senior leaders, and the Under Secretary of Defense (Comptroller).

DOD also continued to include mandatory performance requirements, such as effectively closing audit findings issued by DOD’s auditors, for relevant members of its Senior Executive Service to support these annual financial statement audits.

Capacity: partially met. DOD has efforts under way to address capacity. For example, in fiscal year 2019, 23 of 26 Other Defense Organizations, such as the Defense Information Systems Agency, migrated to a standardized enterprise resource planning system, which should reduce the number of financial management systems used. In addition, the Defense Finance Accounting Service collaborated with the Secretary of Defense to use a central financial management data repository to help components verify that transactions are accurate and complete and demonstrate how they flow to its financial statements.

DOD also led an initiative to reduce the number of legacy financial management systems by investing in current enterprise resource planning systems and certain financial management systems. However, in September 2020, we reported that the department’s financial management systems strategy did not include measures for tracking progress in achieving the strategy’s goals. We also reported that DOD does not know how much it spends on the systems that support its financial statements because it does not have a way to reliably identify them. Since beginning a department-wide financial statements audit in fiscal year 2018, auditors have reported material weaknesses across numerous areas, including systems controls that affect the accuracy of financial reporting and pose a significant risk to DOD’s operations.

DOD continues to use a financial management certification program to provide targeted financial management and leadership training and education to address its financial management workforce skills gaps. Nevertheless, DOD continues to face financial management personnel capacity challenges in its efforts to mitigate competency gaps by adding personnel with the requisite financial management skills. For example, DOD acknowledges that succession planning across the department is inconsistent, it has to compete with industry for financial management talent, and that it has difficulty retaining millennials.

Action plan: partially met. DOD and its components have taken some steps to prioritize audit remediation efforts, develop corrective action plans (CAP) to address findings reported by its external auditors, and improve their ability to monitor and report on such efforts. For example, as of May 2020, DOD had identified eight financial statement audit remediation priority areas and is working to further prioritize its remediation efforts to focus on critical findings that contribute to material weaknesses in these areas.

DOD also developed and implemented a centralized database to track, summarize, and report information about the audit findings, recommendations, and related CAPs to address them. However, there are opportunities for DOD to continue strengthening its action plans. For example, in October 2020 we reported that DOD’s CAPs to address audit findings do not always (1) include required information, (2) indicate that a root-cause analysis was conducted, and (3) document the rationale for accepting the risk associated with not taking action on certain deficiencies and appropriately identify such instances in the database.

Monitoring: partially met. DOD identified financial statement audit remediation priority areas and metrics to monitor progress for addressing certain material weaknesses. DOD also reviewed CAPs to determine if they included information specified by the Office of Management and Budget, such as the year the deficiency was first identified and the targeted corrective action date.

To monitor progress, DOD uses a reporting tool to produce reports for high-level decision-making and reporting based on real-time data contained in its centralized database. This tool enables DOD to produce reports on the status of audit findings and its efforts to address audit priority areas and material weaknesses.

However, the database information may be inaccurate, unreliable, and incomplete for management decision-making. For example, in October 2020 we reported that financial statement audit findings were not always linked to the correct CAPs in the centralized database. Additionally, although DOD reviews the database information monthly, it does not follow up on instances of outdated information or other exceptions identified to ensure components resolve them timely. Without complete and reliable information on DOD’s audit remediation efforts, internal and external stakeholders may not have quality information to effectively monitor and measure DOD’s progress.

Demonstrated progress: partially met. Since DOD has made some progress to address its financial management challenges the rating for this criterion improved from not met in 2019 to partially met in 2021. For example, in 2020, DOD completed its third entity-wide financial statement audit. Although DOD did not receive an opinion on its financial statements, it successfully implemented corrective actions that enabled auditors to close 623 (26 percent) of the audit findings issued in fiscal year 2018. DOD anticipates successfully implementing corrective actions that will enable auditors to close over 20 percent of the audit findings issued in fiscal year 2019.

Ensuring DOD financial statement audits are conducted annually is important for a variety of reasons. Over the last few years these audits have led to operational improvements that have saved millions of dollars and better positioned DOD for readiness and deployment. Financial statement audits also help DOD improve its operations by evaluating information technology and cyber systems for compliance with specified requirements, testing the department’s financial information for accuracy, and identifying specific control weaknesses during the audit that need to be addressed by DOD’s management.

Financial statement audits not only determine the accuracy of financial records, but also provide actionable feedback on weaknesses and inefficiencies in DOD’s financial management processes that, if corrected, can result in more efficient operations, better decision-making, and better use of the significant resources provided to DOD.

DOD also developed performance metrics to assess its progress on audit remediation priority areas. In addition, the military services developed methodologies to prioritize their audit findings concluding that more than half of their fiscal year 2018 audit findings are high priority and significant to their financial statement audits.

In fiscal year 2018, DOD established a centralized database to track and monitor audit findings issued from financial statement audits and the related CAPs developed to remediate them. However, DOD does not have effective processes to regularly monitor the quality of the CAP information included in the database. As a result, the database information may be inaccurate or incomplete, affecting the quality of information provided to management and Congress on the status of DOD audit remediation efforts.

While this progress is encouraging, additional actions will be needed to continue to address DOD’s ability to provide reliable, useful, and timely financial and managerial information related to areas such as financial management systems and information technology, inventory, property plant and equipment, and fund balance with the Department of the Treasury.

What Remains to Be Done

It is critical that DOD and its components continue their efforts to address long-standing financial management deficiencies. Over the years, since we added this area to our High-Risk List, we have made numerous recommendations related to this issue, 33 of which we made since the last update in March 2019. As of December 2020, 49 recommendations are open. To address its complex array of financial management challenges, DOD needs to take actions, such as the following that we recommended in September and October 2020:
  • updating its guidance to instruct components to document root-cause analysis when needed to address deficiencies auditors identified;
  • improving its CAP review process to ensure data elements not included in CAPs are appropriately identified and communicated to components and resolved, audit findings are linked to the correct CAPs, and components document their rationale for accepting the risk associated with certain deficiencies and appropriately identify such instances in its database;
  • developing and implementing a DOD-wide strategy to remediate real property asset control issues;
  • establishing performance goals that include performance indicators, targets, and time frames to monitor the status of efforts to address information technology-related audit findings;
  • implementing a mechanism to identify financial management systems that support the preparation of its financial statements in the department's systems inventory and budget data, and identify a complete list of financial management systems; and
  • establishing time frames for developing an enterprise road map to implement its financial management systems strategy that documents the current and future state; includes a transition plan for moving from the current to the future; discusses performance gaps, resource requirements, and planned solutions; and maps DOD's financial management systems strategy to projects and budget. The plan should also document the tasks, time frames, and milestones for implementing new solutions, and include an inventory of systems.

Related GAO Products

DOD Financial Management: Continued Efforts Needed to Correct Material Weaknesses identified in Financial Statement Audits. GAO‑21‑157. Washington, D.C.: October 13, 2020.

Financial Management: DOD Needs to Implement Comprehensive Plans to Improve Its Systems Environment. GAO‑20‑252. Washington, D.C.: September 30, 2020.

Defense Real Property: DOD-Wide Strategy Needed to Address Control Issues and Improve Reliability of Records. GAO‑20‑615. Washington, D.C.: September 9, 2020.

Air Force: Enhanced Enterprise Risk Management and Internal Control Assessments Could Improve Accountability over Mission-Critical Assets. GAO‑20‑332. Washington, D.C.: June 18, 2020.

Department of Defense: Actions Needed to Reduce Accounting Adjustments. GAO‑20‑96. Washington, D.C.: January 10, 2020.

DOD Business Systems Modernization

The Department of Defense needs to improve management of its business systems acquisitions and leverage its federated business enterprise architecture to identify and address potential duplication and overlap across systems.

Why Area Is High Risk

DOD spends billions of dollars each year to acquire modernized systems, including ones that address key areas such as personnel, financial management, health care, and logistics. While DOD’s capacity for modernizing its business systems has improved over time, significant challenges remain. We first added this area to our High-Risk List in 1995.

This high-risk area includes three critical challenges facing DOD: (1) improving business systems acquisition management, (2) improving business systems investment management, and (3) leveraging DOD’s federated business enterprise architecture.

Improving business system acquisition management would contribute to better cost, schedule, and performance outcomes for DOD systems. Improving business system investment management would allow DOD to more effectively and efficiently manage its portfolios of business system investments. Enhanced use of its federated business enterprise architecture would help DOD identify and address potential duplication and overlap across its business systems environment.

We have made numerous recommendations related to this high-risk issue since we added it to our high-risk list. As of December 2020, 16 recommendations in critical areas were open.

Contact Information

For additional information about this high-risk area, contact Kevin Walsh at (202) 512-6151 or WalshK@gao.gov.

Since our 2019 High-Risk Report, the five criteria remain unchanged overall, although there was both regression and progress within individual segment areas.

For example, the business enterprise architecture segment area regressed within the capacity criteria due to the department’s decision to revisit its previously planned approach to improving the architecture, halt work associated with the previous approach, and begin a new improvement effort.

There was some progress pertaining to the capacity criterion within the acquisition management segment area. In particular, the Department of Defense (DOD) Chief Management Officer (CMO) submitted a human capital report to Congress that included plans to address identified skills gaps. However, DOD has not indicated when these plans will be completed.

DOD’s Business Systems Acquisition Management

The capacity criterion rating for this segment has improved since our 2019 High-Risk Report, while the other four criteria remain unchanged.

Leadership commitment: partially met. Since our 2019 High-Risk Report, DOD has developed updated policy and guidance for managing business system investments that reflect changes called for by the National Defense Authorization Act (NDAA) for Fiscal Year 2016 (10 U.S.C. § 2222).

According to officials, in March 2020, DOD established a Defense Business Systems and Enterprise Business Optimization Directorate within the Office of the CMO. This new office was intended to assist the Office of the CMO with implementation of statutory requirements for, among other things, managing defense business systems.

DOD needs to demonstrate consistent leadership over business system acquisitions. In particular, the department has not yet made additional planned updates to its business systems investment management guidance, or defined steps for addressing this high-risk area, as planned.

Further, the NDAA for Fiscal Year 2021 repealed the CMO position and DOD needs to implement new statutory requirements regarding the future of the roles and responsibilities for business systems acquisition management that were previously assigned to the CMO.

Capacity: partially met. Since our 2019 High-Risk Report, the Office of the CMO, which established policy and guidance for business system investments and oversaw a subset of business system investments, conducted a human capital analysis, as we recommended in May 2013. This analysis included a skills inventory, needs assessment, and planned actions to better support the office’s responsibilities.

However, planned actions have not yet been completed, including business capability reviews intended to, among other things, identify skills and other resource gaps.

Action plan: not met. According to officials, the department is developing a plan that includes specific actions and associated milestones to address what remains to be done for this segment of the high-risk area. However, they have not indicated when this plan will be completed. As a result, DOD does not have a common baseline to document DOD-wide commitments and their associated time frames.

Monitoring: partially met. DOD provides information to the federal Information Technology (IT) Dashboard—a public website hosted by the Office of Management and Budget that allows federal agencies and the public the ability to view details of federal information technology investments online and to track their progress over time—that may allow the department to document progress in improving its business system acquisition outcomes.

However, without an approved action plan for addressing gaps described in this segment of the high-risk area, DOD lacks the means to monitor broader progress in improving to its business system acquisition management efforts.

Demonstrated progress: partially met. Since our 2019 High-Risk Report, DOD has had mixed success in delivering business systems investments that meet cost, schedule, and performance commitments. For example, we reported in June 2020 that the Integrated Personnel and Pay System—Army Increment 2, which is intended to deliver fully integrated personnel and pay services for all Army components, met all five of its technical performance targets, but experienced a 72 percent increase in its life-cycle cost estimate ($1.38 billion).

We also reported that the DOD Healthcare Management System Modernization, which is intended to provide modernized electronic health records, failed to meet any of its three technical performance targets and experienced a 15.7 percent increase in its life-cycle cost estimate ($1.27 billion).

In addition, since March 2019, DOD has made progress in addressing a recommendation made in March 2016 aimed at improving the management of major IT programs. This includes ensuring that the Defense Enterprise Accounting and Management System addressed weaknesses in its controls for ensuring that all software requirements are tested and validated prior to any new software releases.

However, the department still needs to address our recommendations aimed at making further improvements associated with, among other things, its use of incremental development, and updating policy or guidance for major IT programs.

What Remains to Be Done

DOD needs to take various steps, including
  • implementing planned items within the human capital analysis;
  • developing an action plan for addressing this high-risk area;
  • demonstrating improved success in meeting business systems cost, schedule, and performance expectations; and
  • addressing our various open recommendations associated with this high-risk area. Those recommendations are aimed at updates to policy or guidance for major IT programs to include, among other things, thresholds for cost and schedule variances, and a process for periodic performance reporting to stakeholders. The updates also should include, among other things, making further use of incremental development.

DOD’s Business Systems Investment Management Process

Ratings for this segment remain unchanged since our 2019 High-Risk Report, with DOD partially meeting three criteria and not meeting the remaining two.

Leadership commitment: partially met. DOD has made progress complying with requirements for managing business system investments—which support key business areas such as personnel and financial management—in the NDAA for fiscal year 2016. Nevertheless, more remains to be done.

For example, in November 2019, consistent with a legislative provision and our recommendation, DOD issued a policy requiring full consideration of sustainability and technological refreshment requirements (i.e., periodic updates to systems to help ensure their continued supportability) for its business system investments. In addition, in October 2020, the department developed a draft management playbook intended to assist the former Office of the CMO with effectively delivering its mission. The draft playbook included information such as performance measures associated with streamlining the defense business systems environment.

DOD also needs to ensure that it exercises consistent leadership over the business systems investment management process. This includes ensuring that guidance for the process is updated to include key elements from our previous recommendations. For example, the guidance should include a process to ensure that portfolio assessments intended to evaluate the performance of groups of systems, including those systems within the financial management systems portfolio, address key areas identified in our Information Technology Investment Management framework, including schedule and risks. The department also needs to ensure a plan to address this high-risk area is developed, as planned.

Further, the department needs to implement new statutory requirements regarding the future of the roles and responsibilities for business systems investment management previously assigned to the CMO.

Capacity: partially met. DOD has established an investment review board and guidance for overseeing its largest business system investments. Further, the Office of the CMO demonstrated that it had conducted a human capital analysis, as we recommended in May 2013. This analysis included a skills inventory, needs assessment, and planned actions to better support the office’s responsibilities.

However, planned actions have not yet been completed, including one that calls for the department to complete business capability reviews intended to, among other things, identify skills and other resource gaps.

Action plan: not met. According to officials, the department is developing a plan that includes specific actions and associated milestones to address what remains to be done for this segment of the high-risk area. However, they have not indicated when they expect to complete it. As a result, DOD does not have a common baseline to document DOD-wide commitments and their associated time frames.

Monitoring: not met. Without an approved action plan for addressing this segment of the high-risk area, DOD lacks a means to monitor progress towards improving to its business system investment management process.

Demonstrated progress: partially met. Since our 2019 High-Risk Report, DOD has taken steps to improve its business system investment management process by addressing some associated recommendations. For example, DOD developed a policy to require full consideration of sustainability and technological refreshment requirements for its defense business systems investments. Further, the Department of the Army demonstrated that it had improved its guidance for certifying defense business systems.

However, DOD needs to show continued progress in addressing our remaining recommendations associated with the investment management process, such as developing improved investment management guidance. For example, we have recommended that DOD should update its investment management guidance to ensure that functional strategies, which are intended to define business outcomes, priorities, measures, and standards for specific business areas (e.g., human resources management), include all of the critical elements required by the investment management guidance (e.g., performance measures that include baseline and target measures).

What Remains to Be Done

DOD should implement our recommendations on improving its business system investment management efforts, and any planned actions related to this area, including:
  • implementing planned actions within the human capital analysis;
  • updating investment management policy and guidance; and
  • ensuring that functional strategies include all of the critical elements identified in DOD investment management guidance.

DOD’s Federated Business Enterprise Architecture

Since our 2019 High-Risk Report, the capacity criteria has regressed. The other four criteria remain unchanged.

Leadership commitment: partially met. Since our 2019 High-Risk Report, the department has revamped its efforts to develop the next generation of its federated business enterprise architecture. The business enterprise architecture is DOD’s blueprint for business transformation. It is to describe information such as business capabilities, processes, data, information exchanges, system functions, system data exchanges, and technical standards. According to the department, the new approach to the architecture will involve greater integration with other key department processes, such as the investment management process.

However, as of December 2020, a plan to guide the effort to improve the business enterprise architecture, with tasks and associated milestones, had yet to be finalized by department leadership.

DOD also needs to implement new statutory requirements regarding the future of the roles and responsibilities for defense business systems previously assigned to the CMO.

Capacity: partially met. In our 2019 High-Risk Report, we reported that the department had established the tools and processes intended to improve its efforts to identify potentially duplicative systems. We also reported that the department developed a plan with associated milestones to update its architecture. However, the department did not complete all tasks associated with this plan.

DOD officials stated that, as of March 2020, DOD had revisited its approach for updating its business enterprise architecture. Department officials have stated that they expect this new approach to assist department leadership in making better decisions with a more robust set of analytical tools. DOD also provided a draft strategy for updating and using its business enterprise architecture and a timeline describing when technical updates will be completed. This timeline showed that technical updates are to be completed by the end of fiscal year 2021. However, the department did not complete its previously planned effort to update the architecture, which raises concerns about its ability to follow through with current plans.

Nevertheless, as department officials work to implement their new approach to the business enterprise architecture, they can continue to leverage existing tools to help streamline business operations and identify potentially duplicative systems, including the department’s existing business enterprise architecture and associated data.

Action plan: partially met. DOD has developed a draft strategy for updating and using its business enterprise architecture and a timeline that describes high-level activities and time frames for the technical implementation and configuration of its updated business enterprise architecture. However, the timeline is incomplete. Specifically, the timeline and other associated documentation do not address tasks associated with improving the use of the architecture and do not include all activities needed to complete the technical implementation and configuration.

Monitoring: partially met. DOD provided a timeline that describes high-level activities and time frames for the technical implementation and configuration of its business enterprise architecture and DOD officials stated that the timeline is used internally to monitor progress. However, the timeline incomplete. Nevertheless, it can be used as an indicator to determine whether the department is making intended progress for part of its planned efforts.

Demonstrated progress: partially met. DOD has established the capacity to identify potentially duplicative investments and provided examples of benefits attributed, at least in part, to its business enterprise architecture. Nevertheless, the department is revamping its approach to its business enterprise architecture and has not yet demonstrated that it is actively and consistently assessing potential duplication and overlap to eliminate duplicative systems.

Further, DOD needs to demonstrate progress in addressing our remaining open recommendations, which we made between 2012 and 2018, such as integrating its business and IT architectures, and demonstrating that the three capabilities intended to improve the business enterprise architecture have been hosted in a government-approved cloud environment.

What Remains to Be Done

DOD needs to
  • demonstrate that it has developed a plan for improving its business enterprise architecture,
  • demonstrate that it is actively and consistently using assessments of potential duplication and overlap to identify and eliminate duplicative systems, and
  • demonstrate progress in addressing our remaining open recommendations, such as integrating its business and IT architectures.

Related GAO Products

Information Technology: DOD Software Development Approaches and Cybersecurity Practices May Impact Cost and Schedule. GAO‑21‑182. Washington, D.C.: December 23, 2020.

Business Systems Modernization: DOD Has Made Progress in Addressing Recommendations to Improve IT Management, but More Action Is Needed . GAO‑20‑253. Washington, D.C.: March 5, 2020.

Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities. GAO‑18‑93. Washington, D.C.: August 2, 2018.

DOD Major Automated Information Systems: Adherence to Best Practices Is Needed to Better Manage and Oversee Business Programs. GAO‑18‑326. Washington, D.C.: May 24, 2018.

Defense Business Systems: DOD Needs to Continue Improving Guidance and Plans for Effectively Managing Investments. GAO‑18‑130. Washington, D.C.: April 16, 2018.

DOD Approach to Business Transformation

The Department of Defense should formalize key officials’ responsibilities for business transformation efforts, address resource needs, and improve analysis of its business operations costs and savings.

Why Area Is High Risk

DOD spends billions of dollars each year to maintain key business operations intended to support the warfighter, including systems and processes related to the management of contracts, finances, the supply chain, support infrastructure, and weapon systems acquisition. Weaknesses in these areas adversely affect DOD’s efficiency and effectiveness, and render its operations vulnerable to waste, fraud, and abuse.

DOD’s approach to transforming these business operations is linked to DOD’s ability to perform its overall mission, directly affecting the readiness and capabilities of U.S. military forces.

We added DOD’s overall approach to managing business transformation as a high-risk area in 2005 because DOD had not taken the necessary steps to achieve and sustain business reform on a broad, strategic, department-wide, and integrated basis.

In addition, when we added the area to the high-risk list, DOD did not have an integrated plan for business transformation with specific goals, measures, and accountability mechanisms to monitor progress and achieve improvements.

Further, DOD’s historical approach to business transformation has not proven effective in achieving meaningful and sustainable progress in a timely manner.

Contact Information

For additional information about this high-risk area, contact Elizabeth Field at (202) 512-2775 or FieldE1@gao.gov.

Since our 2019 High-Risk Report, ratings for all criteria remain unchanged. Specifically, the Department of Defense (DOD) has met the action plan criterion and partially met the leadership commitment, capacity, monitoring, and demonstrated progress criteria.

Leadership commitment: partially met. While DOD has continued to demonstrate leadership and show momentum in transforming its business operations, uncertainty about responsibility for the department’s business operations has increased.

For example, in 2019, the Secretary and Deputy Secretary of Defense led an assessment of organizations within the Office of the Secretary of Defense and selected Defense Agencies and DOD Field Activities (DAFA)—including those that support the department’s enterprise business operations. This effort aimed to better align resources with National Defense Strategy priorities.

While DOD’s actions over the past 2 years demonstrate a continued leadership commitment to business transformation, uncertainty about the responsibility for spearheading DOD reform and efficiency efforts calls into question whether this leadership commitment can be sustained. Most notably, the position of Chief Management Officer (CMO), which has functioned as the primary lead over DOD reform and efficiency efforts, has been eliminated by the National Defense Authorization Act for Fiscal Year 2021.

In recent years, this office had coordinated with other relevant components to further the department’s reform efforts. For example, as chair of DOD’s Reform Management Group, the governance forum for the department’s business reform efforts, the CMO played a key role in improvements in establishing cost baselines for business reform efforts. In January 2021, however, the Deputy Secretary of Defense issued a memorandum stating, among other things, that the Reform Management Group would be disbanded and its related ongoing actions transferred to the Defense Business Council.

Given the complexity and magnitude of the challenges facing DOD in improving its business operations, we previously identified the need for a CMO with significant authority and experience to sustain progress on these issues. While the National Defense Authorization Act for Fiscal Year 2021 provides for the transfer of the CMO’s responsibilities and resources to one or more offices within DOD, uncertainty about how the offices that assume these responsibilities will function—including whether they have appropriate authorities and resources to lead the department’s reform and efficiency efforts—may impede those efforts. The Deputy Secretary of Defense’s January 2021 memorandum provides an initial roadmap for dividing these responsibilities, but it will require specific implementing guidance. Also, there are questions about how these offices will coordinate with one another.

We have previously reported that in cases in which leadership changed—or was briefly absent—interagency collaborative mechanisms and related progress either disappeared or were considerably hindered. Our prior work has also found that organizational changes may take multiple years to be achieved. Institutionalizing these changes in policy or procedures can help sustain efforts beyond leadership turnover.

Even prior to the elimination of the CMO position, its roles, responsibilities, and authorities, such as the CMO’s ability to direct the military departments in matters related to business operations, remained informal and unresolved. Without a determination and communication by the Secretary or Deputy Secretary of Defense about how the CMO was to direct the business-related activities of the military departments, the CMO’s ability to lead DOD’s reform of its enterprise business operations and to direct the military departments was limited.

This situation could lead to fragmented business reform efforts. As the CMO’s roles and responsibilities are transferred to other officials, ensuring those officials have the necessary authorities, and that their roles and responsibilities are clearly communicated, will be important to sustaining progress in this area.

Capacity: partially met. In our March 2019 High-Risk Report, we highlighted that, while the CMO’s responsibilities were expanding, the budget requested for the Office of the CMO (OCMO) had declined. Additionally, we reported that DOD had established reform teams led by senior officials throughout the department charged with identifying and implementing initiatives to consolidate the department’s business operations.

However, the OCMO did not request funding for reform team initiatives, in part because officials had initially planned to use available funding from the savings generated by the initiatives to fund the development and implementation of other initiatives. OCMO officials later recognized the need for the initiatives to obtain funding separate from any savings realized, but had not developed an approach to do so. As a result, reform teams reported lacking funding needed to implement some of their initiatives.

DOD has made some progress in managing its existing capacity. For example, in August 2019, DOD issued guidance for reviews of the DAFAs. The guidance reflects key elements of quality evaluations including: (1) requiring frequent data-driven reviews that would support high-quality, sufficient, and appropriate data for their evaluations; (2) establishing clear criteria for selecting DAFAs to review; and (3) ensuring results of the review are relevant to leadership stakeholders. This step demonstrates a growing ability of the department to approach business transformation efforts in a methodical and systematic fashion.

However, DOD has still not established a process for identifying and prioritizing available funding to develop and implement initiatives from the cross-functional reform teams, as we recommended in January 2019. Also, OCMO officials told us that resource limitations continue to pose a significant challenge to them.

We also reported in November 2020 that while key offices responsible for overseeing reform efforts, including the OCMO, have generally followed leading practices for coordination, an absence of written guidance delineating roles and responsibilities could hinder future efforts. In light of the recent elimination of the CMO position, ensuring that the offices that assume the CMO’s responsibilities have sufficient capacity to perform those duties will be critical to sustaining progress on DOD’s efforts.

Action plan: met. In March 2019, DOD improved from partially met to met because DOD had issued its National Defense Business Operations Plan in May 2018. Further, DOD’s Fiscal Year 2019 Annual Performance Plan identified performance goals and measures to achieve the strategic goals and objectives described in the National Defense Business Operations Plan, including the goal of reforming the department’s business practices.

In its Fiscal Year 2020 and Fiscal Year 2021 Annual Performance Plans, DOD continued to reflect the strategic goals and objectives of the National Defense Business Operations Plan. As the CMO position’s responsibilities are dispersed, it will remain important for the department to continue its efforts in maintaining and refining its action plans.

Monitoring: partially met. The department has continued to make progress in monitoring its business transformation efforts, and officials have recognized the need for further improvements.

We reported in our March 2019 High-Risk update that DOD had established a senior-level Reform Management Group to identify opportunities for reform and provide support for its reform teams, although the structure and processes of the group were changing. We further described a portal the group used to track project milestones and metrics.

In recent years, DOD had refined and updated its Reform Management Group processes by, for example, establishing a charter and clarifying decision milestones for the group. DOD had continued to use its portal to provide a single source to report transparently and consistently on business reform initiatives in support of the Reform Management Group. However, as noted above, the Reform Management Group has now been disbanded.

DOD also made some progress since 2019 in establishing valid and reliable cost baselines for its enterprise business operations and in documenting related cost savings. For example, we reported in November 2020 that in a January 2020 report on defense business operations mandated by Congress, the department addressed most of the key requirements, such as reporting the number of military and civilian personnel as well as the costs of required enterprise business activities. Further, the department was transparent in acknowledging data limitations, such as a lack of specific financial data, which precluded it from meeting all requirements.

DOD has ongoing efforts to develop baselines for all of the department’s enterprise business operations that should enable it to better track the resources devoted to these operations and reform progress. In November 2020, we also reported that we observed a demonstration of the analytical tools designed to help DOD track reforms, including a tool that visualized and detailed the costs associated with individual business operations.

We also reported that, while still in progress, this effort shows promise in meeting the need for consistent baselines for DOD’s reform efforts. Ensuring that these tools are further refined and adopted across DOD’s enterprise business operations are key steps in ensuring the department has a consistent basis on which to make decisions and measure progress of its reform efforts. As the CMO’s responsibilities are dispersed, ensuring that these efforts to monitor the department’s progress are sustained will be an important part of DOD’s efforts in this area.

Demonstrated progress: partially met. DOD has claimed progress in business reform from a number of efforts, including its Defense-wide Reviews, and reform efforts led by the Reform Management Group, among others. DOD claimed a total of $37 billion in savings from fiscal year 2017 through fiscal year 2021 from its reform efforts in its annual budget materials and other reports.

However, we were unable to determine the quality of the analysis that led to DOD’s savings claims. In our November 2020 report, we reviewed selected initiatives that support the department’s reform efforts and we were generally able to validate cost savings by comparing them with budget materials. However, DOD’s analysis supporting the savings was not always well documented. For example, DOD had limited information on the analysis underlying its savings estimates, including (1) economic assumptions, (2) alternative options it considered, and (3) any costs of taking the actions to realize savings, such as implementation or opportunity costs.

Further, we reported that some of the cost savings initiatives were not clearly aligned with DOD’s definitions of reform; as a result, DOD may have overstated savings from its reform efforts. For example, one initiative was based on the delay and elimination of certain military construction projects in fiscal year 2021 to, according to DOD officials, fund higher priorities. If a construction project is delayed but still planned, those costs will likely be realized in a future year.

As we reported in November 2020, without processes to standardize development and documentation of savings and to consistently identify reform savings based on reform definitions, decision makers lack reliable information on DOD’s estimated reform savings. Nor do they have information on the extent to which these savings are due to the transformation of its business operations.

What Remains to Be Done

Since we added this area to our High-Risk List, we have made numerous recommendations related to this high-risk area, including 13 that are open. For example, to make progress in its approach to business transformation, DOD should
  • provide department-wide guidance on roles, responsibilities, and authorities for business reform efforts, including those that are being transferred from the CMO to other organizations;
  • implement and communicate a process for providing resources to support the reform teams and other department reform initiatives, as needed;
  • implement a formal process for determining and documenting savings estimates, including underlying analyses that reflect department wide guidance and best practices for economic analysis;
  • clarify the department’s definitions of reform and consistently report reform savings based on those definitions; and
  • develop formal guidance and policies as they relate to DOD reform and efficiency collaboration efforts for these efforts to be sustained beyond any leadership and organizational changes.

Related GAO Products

Defense Reform: DOD Has Made Progress, but Needs to Further Refine and Formalize Its Reform Efforts. GAO‑21‑74. Washington, D.C.: November 5, 2020.

Defense Management: DOD Needs to Implement Statutory Requirements and Identify Resources for Its Cross-Functional Reform Teams. GAO‑19‑165. Washington, D.C.: January 17, 2019.

Defense Efficiency Initiatives: Observations on DOD’s Reported Reductions to Its Headquarters and Administrative Activities. GAO‑18‑688R. Washington, D.C.: September 24, 2018.

Defense Management: DOD Needs to Address Inefficiencies and Implement Reform across Its Defense Agencies and DOD Field Activities. GAO‑18‑592. Washington, D.C.: September 6, 2018.

Government-wide Personnel Security Clearance Process

The government-wide personnel security clearance process continues to face challenges in the timely processing of clearances, measuring the quality of investigations, and ensuring the security of related information technology systems.

Why Area Is High Risk

We placed the government-wide personnel security clearance process on the High-Risk List in January 2018 because it faces significant challenges related to (1) the timely processing of clearances, (2) measuring investigation quality, and (3) ensuring IT security, among other things.

Timeliness. The executive branch has been unable to consistently process personnel security clearances within established timeliness objectives.

Quality. A high-quality personnel security clearance process minimizes the risks of unauthorized disclosures of classified information and helps ensure that information about individuals with criminal histories or other questionable behavior is identified and assessed.

While the executive branch has taken some steps to measure quality, it has not (1) established measures to ensure the quality of the entire security clearance process, and (2) collected complete data to fully assess performance.

IT security. DOD is building and managing the development of NBIS, which will replace OPM’s legacy IT systems. However, OPM has only made limited progress to remediate all identified weaknesses in its IT systems to ensure that key security controls are in place and operating as intended.

Contact Information

For additional information about this high-risk area, contact Brian M. Mazanec, (202) 512-5130, or mazanecb@gao.gov.

Since our 2019 High-Risk Report, the rating for the action plan criterion improved from not met to partially met. Our assessment of the other four criteria remains unchanged.

Leadership commitment: met. The Security Clearance, Suitability, and Credentialing Performance Accountability Council (PAC) continues to serve as the entity responsible for driving government-wide implementation of security clearance reform, among other efforts.

The PAC is chaired by the Deputy Director for Management of the Office of Management and Budget (OMB) and is comprised of three other principal members—the Director of National Intelligence (DNI), the Under Secretary of Defense for Intelligence and Security, and the Director of the Office of Personnel Management (OPM) (hereafter PAC Principals).

The PAC continues to make progress in leading agencies to complete long-standing key reform initiatives. Continued and coordinated leadership by the PAC will be important as it works to complete these initiatives, including the government-wide implementation of continuous vetting—a process to review the background of relevant personnel at any time to determine if they continue to meet applicable requirements—and performance measures to gauge the quality of the entire security clearance process.

In addition, the Office of the Director of National Intelligence (ODNI) and OPM have issued various guidance documents, including an executive correspondence in February 2020, that include measures designed to help further eliminate the backlog of background investigations. The administration completed the transfer of the government-wide background investigation mission from OPM to DOD by October 2020. The Defense Counterintelligence and Security Agency (DCSA), which was created as a result of the transfer of the background investigations mission from OPM to the Department of Defense (DOD), serves as the government’s primary investigative service provider and conducts more than 95 percent of the government’s background investigations. DCSA reported that the backlog of investigations declined from approximately 725,000 cases in April 2018 to about 220,000 cases in October 2020.

Senior DOD leadership has also set long-term goals for the development of the National Background Investigations Services (NBIS)—an information technology (IT) system that will be a key component for implementing reforms to the clearance process—and has worked with OPM on the transfer to DOD of the legacy IT systems that support the background investigations process. DCSA assumed operational control of OPM’s legacy IT systems on October 1, 2020, and will maintain those systems until they are replaced by NBIS.

Capacity: partially met. As in 2019, the PAC continues to partially meet the capacity criterion as it transitions the background investigations function from OPM to DOD. OPM and DOD facilitated the transfer of more than 99 percent of National Background Investigations Bureau (NBIB) employees, totaling around 3,000 individuals, to DCSA by September 30, 2019. DCSA officials stated that they transferred 33 remaining OPM personnel around October 1, 2020, and are transferring $266 million in contracts, including those related to OPM’s legacy IT systems.

In our 2019 High-Risk Report, we stated that OMB, ODNI, and DOD should coordinate with responsible executive branch agencies to identify the resources needed to effectively implement reform initiatives within established time frames. In 2020, DCSA began to identify the resources agencies needed to implement Trusted Workforce 2.0, an effort designed to reform and align the three current personnel vetting processes: personnel security clearances, suitability for government employment or fitness to work on behalf of the government, and personnel credentialing.

However, DCSA officials stated that they have not yet developed a strategic workforce plan that identifies the workforce needed to meet the current and future demand for its services. DCSA officials told us that they plan to begin working on a strategic workforce plan once they have more fully established their new agency.

In addition, ODNI should assess the potential effects of continuous vetting on agency resources and develop a plan to address those effects.

Action plan: partially met. The PAC now partially meets the action plan criterion as ODNI, DOD, and OPM have adopted some action plans to reduce the backlog of investigations and to transfer the legacy IT systems that support the background investigation process. Specifically, an NBIB Backlog Mitigation plan issued in December 2018 outlined various mitigation measures to reduce the investigative backlog.

However, PAC officials stated that they have not completed plans to meet clearance processing timeliness objectives or finalized new performance management goals for Trusted Workforce 2.0. Completing the plans and finalizing the goals would help position the PAC in addressing the revised timeliness objectives included in the National Defense Authorization Act (NDAA) for Fiscal Year 2020.

The PAC Principals have issued some guidance to advance personnel vetting reform efforts under Trusted Workforce 2.0. For example, the DNI issued guidance related to continuous evaluation in 2018 and 2019. The DNI and Director of OPM—the Security Executive Agent and the Suitability and Credentialing Executive Agent, respectively—also issued additional implementation guidance in 2020 for continuous vetting—a process similar to continuous evaluation that includes additional data sources to review an individual’s background.

In addition, in January 2021 ODNI and OPM published the Core Vetting Doctrine in the Federal Register for public comment. The Core Vetting Doctrine describes the main principles of Trusted Workforce 2.0 as the overarching framework for the vetting process for the federal workforce. However, ODNI and OPM have not issued other key guidance documents including revised Federal Investigative Standards and Adjudicative Guidelines.

Monitoring: partially met. The PAC continues to partially meet the monitoring criterion by tracking and reporting publicly on the progress of reforms to the clearance process through www.performance.gov—a website that provides information on the performance of executive branch agencies. In addition, the DNI collected data from agencies to monitor the clearance process, including data on the timeliness of investigations and adjudications, reciprocity, and continuous evaluation. Further, DCSA developed a detailed project schedule to monitor the development of NBIS.

ODNI also developed a performance measure to assess investigation quality and collect data using the Quality Assessment Reporting Tool to assess the extent that agencies meet this measure. However, ODNI is not collecting information from all agencies on this measure. Additionally, ODNI officials told us that ODNI does not have measures to assess the quality of the end-to-end process including the adjudication phase. ODNI officials told us that they are modernizing, centralizing, and automating the collection of data from agencies for the clearance process. Officials told us that the automated capabilities will enable them to collect, analyze, and report on the end-to-end personnel vetting process.

Further, additional actions are needed to monitor the performance of the government-wide personnel security clearance process. For example, several statutes require the DNI, in coordination with the other PAC Principals, to annually report on aspects of the clearance process, including certain matters related to the timeliness of clearances.

In its fiscal year 2019 annual report to congressional committees, ODNI reported clearance timeliness information for intelligence community agencies in a section of the report focused on the intelligence community. However, ODNI had collected timeliness information from additional agencies but excluded that information from the report. According to ODNI, this was due to some delays in reporting by a limited number of agencies in light of the government shutdown that fiscal year. Providing more complete timeliness information in annual reports to congressional committees will facilitate improved monitoring and oversight of the clearance process.

Demonstrated progress: partially met. The PAC continues to partially meet the demonstrated progress criterion by reducing the backlog of background investigations, as we discussed earlier. ODNI officials attributed the progress to reducing the backlog, in part, to two executive memorandums issued jointly by ODNI and OPM in June 2018 and February 2020.

These memorandums contain measures designed to reduce the investigation backlog, such as authorizing agencies to defer periodic reinvestigations or apply interim continuous vetting requirements to satisfy periodic reinvestigation requirements.

In addition, DOD has made progress developing NBIS as a secure, shared service for background investigations. DOD created a detailed schedule to manage the development of NBIS and is continuing to refine the schedule over time. DOD officials explained that they developed this schedule using an approach that allows them the flexibility to adapt to unforeseen obstacles when developing NBIS.

Further, the PAC has made mixed progress on the timeliness of completing background investigations and adjudications across government agencies. For example, the average time for executive branch agencies to complete the fastest 90 percent of investigations for initial secret clearances improved from 162 days in fiscal year 2018 to 58 days in fiscal year 2020. However, the PAC has not made progress to increase the number of executive branch agencies that met the timeliness objectives. Specifically, the percent of the 37 agencies providing data that met the timeliness objectives in fiscal year 2020 remained constant or increased for three objectives compared to fiscal year 2018, but decreased for the remaining three objectives. In addition, less than half of executive branch agencies providing data met the timeliness objectives for every measure in fiscal year 2020 except the objective for reinvestigations, as shown in table 7 below.
Table 7: Percent of Executive Branch Agencies That Met Timeliness Objectives for the Fastest 90 Percent of Security Clearances, Fiscal Years 2018 – 2020

Percent of agencies meeting objectives in fiscal year

Phase in the clearance process

Type of clearance

Objective
in days

2018

2019

2020 a

Investigation

Initial Secret

40

3

3

3

Initial Top Secret

80

13

9

18

Reinvestigations

150

13

22

51

Adjudication

Initial Secret

20

45

34

32

Initial Top Secret

20

47

33

27

Reinvestigations

30

69

50

35
Source: GAO analysis of Office of the Director of National Intelligence data. | GAO-21-119SP

aFiscal year 2020 data include statistics only for the first three quarters of fiscal year 2020. The COVID-19 pandemic affected executive branch agencies’ operations and resulted in reporting delays, according to ODNI officials.

In addition, PAC officials told us that they began an evidence-based review by evaluating data on the time it has taken agencies to complete the clearance process, as we recommended in December 2017. Such a review could result in adjustments to the objectives. However, the PAC has not completed that effort.

Finally, officials stated that DOD and OPM have not completed efforts to secure OPM’s legacy IT systems used for the personnel security clearance process, including implementing further security improvements to OPM’s IT environment to ensure that key security controls are in place and operating as intended.

What Remains to Be Done

We have made numerous recommendations to PAC members to address risks associated with the personnel security clearance process since 2011, including 14 that are currently open. In addition, in March 2018, we outlined necessary actions and outcomes—anchored in each of our five criteria for removal from the High-Risk List—and our prior recommendations that have to be addressed for this area to be removed from our High-Risk List. These actions and outcomes are outlined below and are directed to OMB, ODNI, DOD, and OPM, unless a lead agency is indicated.

To make progress on meeting capacity, these agencies should
  • coordinate with responsible executive branch agencies to complete the effort to identify the resources needed to effectively implement personnel security clearance reform effort initiatives within established time frames (OMB, ODNI, DOD);
  • develop and implement a comprehensive strategic workforce plan that identifies the workforce needed to meet the current and future demand for its services (DOD); and
  • assess the potential effects of continuous evaluation on agency resources and develop a plan to address those effects, such as modifying the scope of periodic reinvestigations, changing the frequency of periodic reinvestigations, or replacing periodic reinvestigations for certain clearance holders (ODNI).

To make progress on an action plan, these agencies should
  • complete plans to meet clearance processing timeliness objectives and finalize new performance management goals for Trusted Workforce 2.0; and
  • issue key guidance documents for Trusted Workforce 2.0.

To make progress on monitoring, these agencies should
  • develop and report to Congress annually on government-wide, results-oriented performance measures for the quality of the entire security clearance process (ODNI);
  • develop performance measures for continuous evaluation that agencies must track and regularly report to ODNI;
  • develop performance measures for reciprocity determinations to monitor the extent of government-wide reciprocity and report on those metrics to Congress (ODNI); and
  • develop government-wide performance measures on the quality of the entire security clearance process and collect complete data to assess performance for the measures developed (OMB, ODNI).

To improve on demonstrating progress, these agencies should
  • complete an evidence-based review of the investigation and adjudication timeliness objectives for completing the fastest 90 percent of initial secret and initial top secret security clearances as well as periodic reinvestigations, and adjust the objectives if appropriate; and
  • improve and secure personnel security clearance IT systems, including implementing further security improvements to its IT environment, including contractor-operated systems, to ensure that key security controls are in place and operating as intended (DOD, OPM).

Congressional Actions Needed

The annual assessments of timeliness and quarterly briefings required by the NDAA for Fiscal Year 2018 have served as mechanisms for Congress and the executive branch to monitor timeliness, costs, and continuous evaluation, among other things. Additional reporting requirements in the NDAA for Fiscal Year 2020 serve as another mechanism for Congress and the executive branch to monitor adjudication timeliness, continuous evaluation enrollment, and other related topics.

However, the reporting requirements from the NDAA for Fiscal Year 2018—including the annual timeliness assessments—expire at the end of 2021. Similar to what we stated in our December 2017 report, if Congress has found the information provided in response to these requirements to be beneficial, it may consider extending or renewing the requirements and expanding the scope of those reporting requirements to include information about performance measures on reciprocity determinations and quality in the clearance process.

Related GAO Products

Information Security: OPM Has Implemented Many of GAO’s 80 Recommendations, but Over One-Third Remain Open. GAO‑19‑143R. Washington, D.C.: November 13, 2018.

Personnel Security Clearances: Additional Actions Needed to Implement Key Reforms and Improve Timely Processing of Investigations. GAO‑18‑431T. Washington, D.C.: March 7, 2018.

Personnel Security Clearances: Additional Actions Needed to Ensure Quality, Address Timeliness, and Reduce Investigation Backlog. GAO‑18‑29. Washington, D.C.: December 12, 2017.

Personnel Security Clearances: Plans Needed to Fully Implement and Oversee Continuous Evaluation of Clearance Holders. GAO‑18‑117. Washington, D.C.: November 21, 2017.

Information Security: OPM Has Improved Controls, but Further Efforts Are Needed . GAO‑17‑614. Washington, D.C: August 3, 2017.

Ensuring the Cybersecurity of the Nation

Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure federal systems, and protect cyber critical infrastructure, privacy, and sensitive data.

Why Area Is High Risk

Federal agencies and our nation’s critical infrastructures—such as energy, transportation systems, communications, and financial services—are dependent on IT systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to public confidence and national security, prosperity, and well-being.

Because many of these systems contain vast amounts of personally identifiable information (PII) and other sensitive information, agencies must protect the confidentiality, integrity, and availability of this information. In addition, they must effectively respond to data breaches and security incidents when they occur.

The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing, including insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks.

We have designated information security as a government-wide high-risk area since 1997. We expanded this high-risk area in 2003 to include protection of critical cyber infrastructure and, in 2015, to include protecting the privacy of PII.

Contact Information

For additional information about this high-risk area, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov, Jennifer Franks at (404) 679-1831 or franksj@gao.gov, or Vijay D'Souza at (202) 512-6240 or dsouzav@gao.gov.

Since our previous 2019 High-Risk Report, ratings for one criterion—leadership commitment—declined from met to partially met. The other four criteria remain unchanged.

Leadership commitment: partially met. The White House’s September 2018 National Cyber Strategy and the National Security Council’s (NSC) accompanying June 2019 Implementation Plan detailed the executive branch’s approach to managing the nation’s cybersecurity. In addition, in September 2020, we reported that the White House identified the NSC as the organization responsible for coordinating the implementation of the National Cyber Strategy.

In light of the elimination of the White House Cybersecurity Coordinator position in May 2018, it had remained unclear what official within the executive branch is to ultimately be responsible for coordinating the execution of the Implementation Plan and holding federal agencies accountable for the plan’s nearly 200 activities moving forward. In January 2021, Congress enacted a statute that established the Office of the National Cyber Director within the Executive Office of the President.

The office is to be headed by a Senate-confirmed National Cyber Director and is to, among other things, coordinate cybersecurity policy and operations across the executive branch. Once this position is filled, the White House can (1) ensure that entities are effectively executing their assigned activities intended to support the nation’s cybersecurity strategy, and (2) coordinate the government’s efforts to overcome the nation’s cyber-related threats and challenges.

It is also important for the United States to have sufficient leadership in building consensus among international organizations regarding internet standards and cultivating norms for acceptable state behavior in cyberspace. In June 2019, the Department of State (State) notified Congress of its intent to establish a new Bureau of Cyberspace Security and Emerging Technologies (CSET) that would focus on cyberspace security and the security aspects of emerging technologies.

However, we reported in September 2020 that officials from six agencies that work with State on cyber diplomacy issues stated that (1) they were unaware of State’s plan to develop CSET, and (2) being informed of State’s plan for CSET could be helpful for maintaining their communications with State. We recommended in September 2020 that State involve federal agencies that contribute to cyber diplomacy to obtain their views and identify any risks, as it implements its plan to establish CSET.

We also reported in July 2020 that the United States does not have a comprehensive internet privacy law governing the collection, use, and sale of personal information by private-sector companies. In addition, no federal law expressly regulates the commercial use of facial recognition technology, including the identifying and tracking of individuals.

Further, in most contexts, federal law does not address how personal data derived from facial recognition technology may be used or shared. As we previously reported, the Federal Trade Commission lacks explicit and comprehensive authority related to privacy issues and the Federal Communications Commission has had a limited role in overseeing internet privacy.

Capacity: partially met. In July 2019, we reported that the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) had several initiatives under way to assist agencies in meeting challenges related to hiring and retaining cybersecurity risk management personnel. For example, one such initiative included a program offering current federal employees who do not work in the information technology (IT) field the opportunity for hands-on training in cybersecurity for 3 months to help them build foundational skills in cyber defense analysis.

However, federal agencies have not fully assessed and addressed future agency cybersecurity workforce needs. In particular, we reported in March 2019 that the 24 Chief Financial Officers (CFO) Act agencies had likely miscategorized the work roles of many IT and cybersecurity positions. For example, at least 22 of the 24 agencies designated positions as not performing IT, cybersecurity, or cyber-related functions, when they did most likely perform these functions.

In addition, in October 2019, we reported that none of the 24 CFO Act agencies that we reviewed had fully implemented best practices for IT/cybersecurity workforce planning activities. Agencies’ limited implementation of these activities has been due, in part, to not making IT/cybersecurity workforce planning a priority, although laws and guidance have called for them to do so for more than 20 years. Until this occurs, agencies will likely not have the staff with the necessary knowledge, skills, and abilities to address cybersecurity risks and challenges.

In addition, federal and nonfederal critical infrastructure entities continue to face challenges in ensuring that their cybersecurity workforce has the appropriate skills. For example, according to an assessment from the Department of Energy (DOE), the electricity subsector continues to face challenges in recruiting and maintaining experts with strong knowledge of cybersecurity practices, as well as knowledge of industrial control systems supporting the electric grid.

Further, we reported in October 2020 that the Federal Aviation Administration does not currently have a staff training program specific to avionics cybersecurity and none of the agency’s certification staff are required to take cybersecurity training tailored to their oversight roles. Until these challenges are resolved, federal and nonfederal critical infrastructure entities may not have the expertise necessary to address the increasing cybersecurity risks to their systems.

Action plan: partially met. As previously mentioned, the National Cyber Strategy and associated implementation plan outline the executive branch’s approach to cybersecurity that federal agencies are to undertake. However, in September 2020, we reported that the strategy and implementation plan address some, but not all, of the desirable characteristics of national strategies.

For example, although the implementation plan detailed 191 activities that federal entities are to undertake, the plan did not include goals and timelines for 46 of the activities, identify the resources needed to execute 160 activities, or specify a process for monitoring agency progress.

Without a consistent approach to engaging with responsible entities and a comprehensive understanding of what is needed to implement all 191 activities, the executive branch will face challenges in ensuring that the National Cyber Strategy is efficiently executed.

In addition, although sector-specific agencies have developed subordinate strategies for addressing cybersecurity risks and challenges to critical infrastructure, these strategies did not always address the characteristics needed for such strategies. For example, in August 2019, we found that the nation’s electrical grid was becoming more vulnerable to cyberattacks—particularly those involving industrial control systems that support grid operations.

Although DOE had developed plans and an assessment to implement a federal strategy for addressing grid cybersecurity risks, these documents did not fully address all of the characteristics needed for a national strategy, such as conducting a risk assessment that had significant methodological limitations and did not fully analyze grid cybersecurity risks.

Further, although federal agencies have taken steps to develop plans for managing their cybersecurity risks, agencies have not consistently implemented those plans. For example, we reported in July 2019 that only 15 of 23 civilian CFO Act agencies had policies that called for the prioritization of plans of action and milestones (POA&M)—that is, plans that identify the corrective actions needed to remediate cybersecurity deficiencies.

In addition, we reported that 13 of 16 selected agencies had deficiencies in their processes for managing POA&Ms, such as inadequately documenting or tracking their status. As another example, in April 2020, we reported that the Department of Defense (DOD) had not fully implemented three of its key initiatives aimed at managing the department’s most common and pervasive risks. Without consistent implementation of plans for addressing cybersecurity risks, agencies may not be taking the foundational steps needed to ensure that sensitive data is not lost or agency systems are not compromised.

Monitoring: partially met. Although DHS, the General Services Administration (GSA), and OMB have established various programs aimed at helping agencies monitor and address cybersecurity risks, agencies have been challenged in implementing them, for example, in the following areas:
  • Continuous diagnostics and mitigation (CDM). DHS established the CDM program to allow federal agencies to automate network monitoring, correlate and analyze security-related information, and enhance risk-based decision-making at both the individual agency and federal levels. We reported in August 2020 that, while the three selected agencies reported that the program improved their network awareness, none of the three agencies had effectively implemented all key CDM program requirements.
  • Federal Risk and Authorization Management Program (FedRAMP). Established by OMB and managed by GSA, the FedRAMP program is intended to provide a standardized approach to securing systems, assessing security controls, and continuously monitoring cloud services used by federal agencies. However, we reported in December 2019 that, while OMB required agencies to use FedRAMP to authorize the use of cloud services, it did not monitor or ensure that agencies were doing so.

    We also reported that FedRAMP participants identified a number of challenges, such as a lack of agency resources required to authorize a cloud service or those needed by the provider to implement the program’s requirements. While GSA had taken steps aimed at addressing these challenges, its guidance on FedRAMP’s requirements and participant’s responsibilities were not always clear and the program’s process for monitoring the status of security controls over cloud services was limited.
  • DHS binding operational directives. DHS has established a five-step process for developing and overseeing the implementation of binding operational directives (i.e., mandatory requirements for certain civilian executive branch departments and agencies to safeguard federal information and information systems). The process includes validating agencies’ actions on the directives.

    We reported in February 2020 that, although DHS had carried out its validation process for selected directives, it had not done so for others. DHS was not well positioned to validate all directives because it lacked a strategy and risk-based approach to check selected agency-reported actions to validate their completion.

In addition, we reported in July 2019 that, with certain exceptions, OMB was generally implementing its government-wide Federal Information Security Modernization Act requirements, including issuing guidance and implementing programs that are intended to improve agencies' information security. However, we noted that OMB had reduced the number of CyberStat meetings (i.e., meetings held in coordination with DHS to engage agency leadership to ensure that agencies are taking the appropriate actions to strengthen their cybersecurity posture).

Specifically, it held 24 meetings in fiscal year 2016 and only three meetings in fiscal year 2018—thereby restricting key activities for overseeing agencies' implementation of information security. Additionally, in May 2019, we reported that OMB had not issued guidance requiring agencies to report on their progress in implementing National Institute of Standards and Technology’s identity proofing guidance (i.e., processes for verifying that individuals who apply online for benefits and services are who they say they are).

Further, sector-specific agencies—agencies that assist in protecting critical infrastructure owners and operators, including enhancing cybersecurity—continue to face challenges in measuring progress that critical infrastructure entities are making toward addressing cybersecurity risks. For example:
  • We reported in February 2020 that most of the sector-specific agencies had not developed methods to determine their level and type of cybersecurity framework adoption, as we previously recommended. Specifically, only two of the nine sector-specific agencies—DOD in collaboration with the defense industrial base sector and GSA in conjunction with DHS’s Federal Protective Service—had methods to determine the level and type of framework adoption across their respective sectors.
  • We reported in September 2020 that the Department of the Treasury (Treasury)—the designated lead agency for the financial sector—had not fully implemented our previous recommendation to establish metrics related to the value and results of the sector’s cyber risk mitigation efforts. Specifically, the department’s 2016 sector-specific plan, which was to direct the sector’s activities, did not identify ways to measure sector progress and was out of date. Treasury also did not track the content or progress of ongoing cyber risk mitigation efforts within the sector to minimize duplication or ensure results.

Demonstrated progress: partially met. Since 2010, we have made more than 3,300 recommendations to agencies aimed at addressing cybersecurity challenges facing the government— over 500 of which were made since the last high-risk update in March 2019. While agencies have implemented a majority of our recommendations, many face challenges in safeguarding their information systems and information, in part, because many of these recommendations have not been fully implemented.

Specifically, of the roughly 3,300 recommendations made since 2010, more than 750 had not been fully implemented as of December 2020. We have also designated 103 as priority recommendations, meaning that we believe these recommendations warrant priority attention from heads of key departments and agencies. As of December 2020, 67 of our priority recommendations had not been fully implemented.

What Remains to Be Done

Based on our prior work, we have identified four major cybersecurity challenges:
  • establishing and implementing a comprehensive cybersecurity strategy and performing effective oversight,
  • securing federal systems and information,
  • protecting cyber critical infrastructure, and
  • protecting privacy and sensitive data.

To address these challenges, we have identified 10 critical actions that the federal government and other entities need to take (see figure 9).

Figure 9: Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges

Recent events highlight the urgent need to address the 10 critical actions. In December 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive and alert explaining that an advanced persistent threat actor had been observed leveraging, among other techniques, a software supply chain compromise of an enterprise network management software suite to conduct a cyberattack campaign against U.S. government agencies, critical infrastructure entities, and private sector organizations.

According to CISA, this threat poses a grave risk to the federal, state, local, tribal, and territorial governments, as well as critical infrastructure entities and other private sector organizations. Subsequently, in December 2020, the Federal Bureau of Investigation, CISA, and the Office of the Director of National Intelligence formed a Cyber Unified Coordination Group to coordinate a whole of government response to the significant and ongoing cyberattack campaign.

Agencies need to urgently address the 10 critical actions to effectively respond to this incident and, thus, better position the nation to prevent, or more quickly detect and mitigate the damage of, future cyberattacks. In particular:
  • Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace. As previously mentioned, the position of National Cyber Director needs to be filled to coordinate the execution of a national cyber strategy, including implementing activities necessary to effectively respond to significant cybersecurity incidents.
  • Mitigate global supply chain risks. We reported in December 2020 that none of the 23 civilian CFO Act agencies had fully implemented seven selected foundational practices for managing information and communications technology supply chain risks. Those agencies need to address the 145 recommendations that we made to address those weaknesses.
  • Enhance the federal response to cyber incidents. In July 2019, we reported that most of 16 selected federal agencies had deficiencies in at least one of the activities associated with incident response processes. We and the inspectors general have made thousands of recommendations aimed at improving information security programs and practices—including those relating to incident response processes over the years; however, many of these recommendations remain unimplemented.

We have ongoing work reviewing the federal response to the above-mentioned significant cyberattack campaign.

Congressional Actions Needed

We previously suggested in May 2008 that Congress consider amending laws, such as the Privacy Act of 1974 and the E-Government Act of 2002, because they may not consistently protect personally identifiable information (PII) (i.e., any information that can be used to distinguish an individual's identity).

Specifically, we found that while these laws and guidance set minimum requirements for agencies, they may not consistently protect PII in all circumstances of its collection and use throughout the federal government, and may not fully adhere to key privacy principles. However, our suggested revisions to the Privacy Act of 1974 and the E-Government Act of 2002 had not been enacted as of December 2020.

We also suggested in September 2013 that Congress consider strengthening the consumer privacy framework and review issues such as the adequacy of consumers’ ability to access, correct, and control their personal information, and privacy controls related to new technologies such as web tracking and mobile devices. However, these suggested changes had not been enacted as of December 2020.

Related GAO Products

Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks. GAO‑21‑171. Washington, D.C.: December 15, 2020.

Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks. GAO‑21‑86. Washington, D.C.: October 9, 2020.

National Security: Additional Actions Needed to Ensure Effectiveness of 5G Strategy. GAO‑21‑155R. Washington, D.C.: October 7, 2020.

Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy. GAO‑20‑629. Washington, D.C.: September 22, 2020.

Cyber Diplomacy: State Has Not Involved Relevant Federal Agencies in the Development of Its Plan to Establish the Cyberspace Security and Emerging Technologies Bureau. GAO‑20‑607R. Washington, D.C.: September 22, 2020.

Critical Infrastructure Protection: Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation Efforts. GAO‑20‑631. Washington, D.C.: September 17, 2020.

Cybersecurity: DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring Program. GAO‑20‑598. Washington, D.C.: August 18, 2020.

Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene. GAO‑20‑241. Washington, D.C.: April 13, 2020.

Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements. GAO‑20‑299. Washington, D.C.: February 25, 2020.

Cloud Computing Security: Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed . GAO‑20‑126. Washington, D.C.: December 12, 2019.

Critical Infrastructure: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid. GAO‑19‑332. Washington, D.C.: August 26, 2019.

Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges. GAO‑19‑384. Washington, D.C.: July 25, 2019.

Strengthening Department of Homeland Security Management Functions

The Department of Homeland Security needs to continue implementing its Integrated Strategy for High-Risk Management with a particular focus on building its capacity in the areas of acquisition, information technology, and financial management.

Why Area Is High Risk

In 2003, we designated implementing and transforming DHS as high risk because the department had to transform 22 agencies—several with major management challenges—into one department. Given the significant effort required to build and integrate a department as large and complex as DHS, our initial high-risk designation addressed the department’s implementation and transformation efforts including associated management and programmatic challenges. Failure to effectively address these challenges could have serious consequences for U.S. national and economic security.

Since 2003, the focus of this high-risk area has evolved in tandem with DHS’s maturation and evolution. In September 2011, we reported in our assessment of DHS’s progress that the department had implemented key homeland security operations and achieved important goals in many areas but continuing weaknesses in DHS’s management functions had been a key theme impacting the department’s implementation efforts.

As a result, in our 2013 high-risk update, we narrowed the scope of the high-risk area to strengthening and integrating DHS management functions (human capital, acquisition, information technology, and financial).

Contact Information

For additional information about this high-risk area, contact Chris Currie (404) 679-1875 or curriec@gao.gov.

Since our 2019 High-Risk Report, ratings for all five criteria remain unchanged.

The Department of Homeland Security (DHS) has continued its efforts to strengthen and integrate its acquisition, information technology (IT), financial, and human capital management functions. It has continued to meet three out of five criteria from the High-Risk List (leadership commitment, action plan, and monitoring) and partially meet the remaining two criteria (capacity and demonstrated progress).

Leadership commitment: met. DHS’s top leaders have continued to demonstrate commitment and support for addressing the department’s management challenges. They have also taken actions to institutionalize this commitment to help ensure the success of the department’s efforts.

For example, the Deputy Under Secretary for Management issued strategic guidance to DHS’s component agencies encouraging investment in areas critical to DHS management functions, including financial system modernization, human resource training, and career development programs.

Capacity: partially met. DHS has made progress in its coding of IT management positions. In March 2019, we found that DHS had not consistently assigned the appropriate National Initiative for Cybersecurity Education (NICE) framework work categories to its IT management positions, as required by law. We recommended that DHS review the coding for certain IT management positions, assign the appropriate NICE framework work categories, and assess the accuracy of position descriptions.

In November 2020, DHS officials stated that they had taken steps to ensure that at least one NICE code was assigned to active IT management positions. In addition, according to a December 2020 report, DHS had assigned an appropriate work role code to 98 percent of approximately 5,000 IT management positions.

In October 2020, our review of the nomination and designation process for appointing the Component Acquisition Executive (CAE) position identified instances where the acceptance criteria—standards to evaluate whether an individual is qualified for the position—were not met as described in DHS acquisition guidance. Until the DHS Office of Program Accountability and Risk Management and DHS components consistently execute the nomination and designation process, DHS’s Chief Acquisition Officer cannot be assured that oversight of acquisition programs is being conducted by individuals qualified for the CAE position.

With regard to financial management capacity, DHS has continued its efforts to identify and allocate resources for financial management, but additional progress is needed. For example, in fiscal year 2020 DHS’s financial statement auditor reported several capacity-related issues— including manual processes and lack of automated functions, resource limitations, and untimely training—as causes for the material weaknesses in the areas of financial reporting and information technology controls and information systems. In response to the auditor’s report, DHS stated that it is focused on improving IT controls and has put in place an aggressive multiyear strategy to modernize its financial systems.

Action plan: met. In January 2011, DHS produced its first semiannual Integrated Strategy for High-Risk Management and has issued 18 updated versions, most recently in September 2020. The September 2020 strategy describes DHS’s progress to date and planned corrective actions to further strengthen its management functions.

For example, the strategy includes a multiyear plan to achieve an unmodified opinion on its internal control over financial reporting and substantial compliance with the Federal Financial Management Improvement Act of 1996 by fiscal year 2024. DHS’s strategy and approach, if effectively implemented and sustained, provides a path for DHS to be removed from our High-Risk List.

Monitoring: met. In the most recent September 2020 Integrated Strategy for High Risk Management, DHS included status updates and future planned actions for each of the outcomes that are not yet fully addressed.

Demonstrated progress: partially met. In 2010, we identified, and DHS agreed, that achieving 30 specific outcomes would be critical to addressing the challenges within the department’s management areas. As of December 2020, DHS has fully addressed 17 of the 30 needed outcomes, mostly addressed five (a small amount of work remains), partially addressed five (significant work remains), and initiated actions to address the remaining three (activities have been initiated, but it is too early to report progress).
Table 8: GAO Assessment of DHS Progress in Addressing Key Outcomes

Key management function

Fully addressed a

Mostly addressed b

Partially addressed c

Initiated d

Total

Acquisition management

2

3

5

Information technology management

5

1

6

Financial management

2

3

3

8

Human capital management

5

2

7

Management integration

3

1

4

Total

17

5

5

3

30
Source: GAO analysis of DHS documents, interviews, and prior GAO reports. | GAO-21-119SP

a”Fully addressed”: Outcome is fully addressed.
b”Mostly addressed”: Progress is significant and a small amount of work remains.
c”Partially addressed”: Progress is measurable, but significant work remains.
d”Initiated”: Activities have been initiated to address the outcome, but it is too early to report progress.

Important progress and work remaining in key areas include
  • Acquisition management. DHS has taken steps to strengthen requirements development across the department, such as re-establishing the Joint Requirements Council in June 2014.

    However, DHS continues to face challenges in effectively executing its acquisition portfolio. In May 2018, we found that enhancements to DHS’s acquisition management, resource allocation, and requirements policies largely reflect key portfolio management practices. However, in January 2021, we found that, of the 24 major acquisition programs we assessed with approved schedule and cost baseline goals, 10 failed to meet one of these goals at some point in fiscal year 2020.

    While some of these instances were because of factors outside of a program’s control, such as the Coronavirus Disease 2019, we also found instances where DHS did not implement sound acquisition practices leading to other programs not meeting their schedules or cost goals. For example, two of the 10 programs failed to meet their cost or schedule goals because of an underestimation of the programs’ complexity or requirements.
  • IT management. DHS has continued to sustain and mature its department-wide Enterprise Architecture program over the past 6 years. For example, the DHS Chief Information Officer developed a fiscal year 2020-2023 Enterprise Architecture Strategic Plan to provide strategic direction for delivering IT services and solutions across the department.

    Further, the department has continued to manage its IT investments across the department by using an IT portfolio management approach. For example, in fiscal year 2020, the Office of the Chief Information Officer (OCIO) produced portfolio data and analysis related to each of the Department’s seven IT portfolios. OCIO officials reported that the Chief Information Officer and other DHS leadership used this information to support IT investment oversight and resource allocation recommendations.

    This portfolio management approach should enable DHS to identify potentially duplicative investments and opportunities to consolidate investments, as well as reduce component-specific investments.

    In addition, DHS has made progress in implementing recommendations identified in the fiscal years 2016 to 2018 DHS Office of the Inspector General’s (OIG) reports related to IT security weaknesses. However, much work remains for DHS to enhance its information security program.

    In September 2020, the OIG reported that the department’s information security program was ineffective for fiscal year 2019. Specifically, the OIG identified that DHS did not have an effective strategy or department-wide approach to manage risks for all of its systems, nor did it apply security patches and updates timely to mitigate critical and high-risk security vulnerabilities on selected components’ systems, among others.

    Additionally, in fiscal year 2020, the department’s financial statement auditor identified that DHS had ineffective design and implementation of controls to remediate IT findings, including insufficient corrective action to address deficiencies that have existed for several years in multiple information systems. Further, for the 17th consecutive year, the auditor designated deficiencies in IT systems controls as a material weakness for financial reporting purposes.

    As a result, since our 2019 report, DHS has moved from a mostly addressed to a partially addressed rating for one IT management area outcome on IT security. OCIO officials informed us that they are taking steps to address this outcome, such as conducting an independent verification and validation of plans of actions and milestones and performing configuration audit checks for selected operating systems.

    The December 2020 compromise of an enterprise network management software suite to conduct a cyberattack campaign against U.S. government agencies, including DHS, highlights the urgent need to address these vulnerabilities. In a notification to Congress on December 19, 2020, DHS stated that the DHS OCIO is examining this incident and putting mitigation measures into place. Until DHS adequately mitigates these vulnerabilities, the data maintained on its systems will remain at increased risk of unauthorized modification and disclosure, and systems will remain at risk of disruption.
  • Financial management. DHS received an unmodified audit opinion on its financial statements for 8 consecutive years—fiscal years 2013 to 2020. However, similar to its fiscal year 2019 financial statement audit, DHS’s auditor again reported two material weaknesses in the areas of (1) financial reporting, and (2) IT controls and information systems, as well as instances of noncompliance with laws and regulations. According to the auditor, these two material weaknesses led to an adverse opinion on internal controls over financial reporting.

    These deficiencies hamper DHS’s ability to provide reasonable assurance that its financial reporting is reliable and the department is in compliance with applicable laws and regulations. For DHS to obtain and sustain an unmodified audit opinion on its internal controls over financial reporting, and to achieve substantial compliance with the Federal Financial Management Improvement Act of 1996, DHS needs to continue to strengthen its financial management controls and ensure that key controls are in place to address the auditor’s findings related to the two material weaknesses.

    In addition, much work remains to modernize components' financial management systems and business processes. Specifically, DHS needs to effectively implement its long-term financial systems modernization efforts at the U.S. Coast Guard, the Federal Emergency Management Agency, and U.S. Immigration and Customs Enforcement. DHS also needs to ensure that key controls are in place to address the auditor’s findings.
  • Human capital management. Since our 2019 High-Risk Report, DHS has taken steps to move from a partially to mostly addressed rating on one outcome in the human capital management area.

    DHS made continued improvements in employee engagement as measured by the Office of Personnel Management’s Federal Employee Viewpoint Survey (FEVS). Starting in 2015, DHS reversed a 5-year downward trend in its scores on the FEVS Employee Engagement Index (EEI). After 4 consecutive years of improvements and a 2019 EEI of 62, DHS surpassed its 2010 benchmark.

    However, DHS has additional work ahead to improve its employee engagement as its 2019 Employee Engagement Index remained 6 percentage points below the government-wide average and ranked 20th among 20 large and very large federal agencies. Specifically, as we recommended in January 2021, DHS should monitor component employee engagement action planning efforts to ensure the components use performance outcomes to assess the results of their actions and to adjust, reprioritize, and identify new actions to improve employee engagement. DHS agreed with our recommendations and expects to develop written guidance for the component employee engagement action planning process in 2021.
  • Management integration. Since 2019, DHS has communicated management priorities through the department planning, programming, budgeting, and execution process. Specifically, in fiscal year 2019, the Deputy Under Secretary for Management issued strategic guidance to components encouraging investment in areas critical to DHS management functions.

    To achieve this outcome, DHS must continue to demonstrate sustainable progress integrating its management functions within and across the department, as well as fully address the other 13 outcomes it has not yet fully achieved. Outcomes not yet fully achieved include, among others, obtaining an unmodified opinion on independent audits of internal controls and consistently implementing sound acquisition practices.

What Remains to Be Done

Over the years, we have made hundreds of recommendations related to DHS management functions and many have been implemented. However, as of December 2020, there are at least 29 recommendations related to DHS management functions that DHS has not yet implemented.

Continued progress for this high-risk area depends primarily on fully addressing the 13 remaining outcomes. In the coming years, DHS needs to continue its efforts to implement its action plan, the Integrated Strategy for High-Risk Management, to show measurable, sustainable progress in employing corrective actions and achieving outcomes. In doing so, it remains important for DHS to
  • maintain its current level of top leadership support and commitment to ensure continued progress in executing its corrective actions through completion;
  • continue to identify the people and resources necessary to make progress towards achieving outcomes, work to mitigate shortfalls and prioritize initiatives as needed, and communicate to senior leadership critical resource gaps;
  • continue efforts to ensure that key controls are in place to address the auditor’s findings related to the two material weaknesses identified by its financial statement auditor, and continue the financial system modernization efforts underway;
  • continue to implement its plan for addressing this high-risk area and periodically provide assessments of its progress to us and Congress;
  • closely track and independently validate the effectiveness and sustainability of its corrective actions, and make midcourse adjustments as needed; and
  • make continued progress in achieving the 13 outcomes it has not fully addressed and demonstrate that systems, personnel, and policies are in place to ensure that progress can be sustained over time.

Related GAO Products

DHS Annual Assessment: Most Acquisition Programs Are Meeting Goals but Data Provided to Congress Lacks Context Needed for Effective Oversight. GAO‑21‑175. Washington, D.C.: January 19, 2021.

DHS Employee Morale: Some Improvements Made, but Additional Actions Needed to Strengthen Employee Engagement. GAO‑21‑204. Washington, D.C.: January 12, 2021.

Homeland Security Acquisitions: DHS Has Opportunities to Improve Component Acquisition Oversight. GAO‑21‑77. Washington, D.C.: October 20, 2020.

Homeland Security Acquisitions: Outcomes Have Improved but Actions Needed to Enhance Oversight of Schedule Goals. GAO‑20‑170SP. Washington, D.C.: December 19, 2019.

Department of Homeland Security: Continued Leadership Is Critical to Addressing a Range of Management Challenges. GAO‑19‑544T. Washington, D.C.: May 1, 2019.

Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs. GAO‑19‑144. Washington, D.C.: March 12, 2019.

DHS Acquisitions: Additional Practices Could Help Components Better Develop Operational Requirements. GAO‑18‑550. Washington, D.C.: August 8, 2018.

Homeland Security Acquisitions: Leveraging Programs’ Results Could Further DHS’s Progress to Improve Portfolio Management. GAO‑18‑339SP. Washington, D.C.: May 17, 2018.

Cybersecurity Workforce: Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill Requirements. GAO‑18‑175. Washington, D.C.: February 6, 2018.

Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests

Agencies have made some progress towards ensuring the effective protection of technologies, but several areas remain unaddressed, including improved interagency coordination.

Why Area Is High Risk

DOD spends billions of dollars each year to develop and acquire technologies that provide an advantage for the warfighter. Many of these technologies are also sold or transferred to promote U.S. economic, foreign policy, and national security interests. Foreign entities can also acquire these technologies through investment in the U.S. companies that develop or manufacture them. In addition, they are targets for unauthorized transfer, such as theft, espionage, reverse engineering, and illegal export.

The U.S. government has a number of programs and activities to identify and protect technologies critical to U.S. interests. These include export controls—those developed to regulate exports that are transferred to foreign parties consistent with U.S. interests—as well as other activities, including anti-tamper policies, the National Industrial Security Program, and the Committee on Foreign Investment in the United States.

These programs and activities are administered by multiple federal agencies, including DOD—the only agency with a role in each of those we identified—and the Departments of Commerce, Homeland Security, Justice, State, and the Treasury. We first designated this area high risk in 2007 and continue to do so given the fragmented nature of these initiatives and lack of communication across the federal agencies involved.

Contact Information

For additional information about this high-risk area, contact William Russell at (202) 512-4841 or russellw@gao.gov.

Since our 2019 High-Risk Report, overall ratings for the five criteria remain unchanged, but we restructured our assessment of this area from two segments to one to better align with current federal efforts.

Specifically, we incorporated actions taken to implement export control reforms—previously its own segment—into the discussion of other federal agencies’ protection efforts. We also focused primarily on the Department of Defense’s (DOD) efforts to identify critical acquisition programs and technologies and how this information is shared with other federal agencies to inform their protection efforts.

Leadership commitment: partially met. In October 2018, the Secretary of Defense formed the Protecting Critical Technology Task Force (task force) to, in part, improve DOD’s process for developing and annually updating a list of acquisition programs, technologies, manufacturing capabilities, and research areas that are critical for maintaining a national security technological advantage of the United States over foreign countries of special concern.

Task force officials stated that the list, which DOD is required to establish and maintain in response to the John S. McCain National Defense Authorization Act for Fiscal Year 2019, will help inform government protection programs.

The task force reports directly to the Deputy Secretary of Defense and Vice Chairman of the Joint Chiefs of Staff. As of December 2020, though, DOD had not designated an organization that will assume responsibility for developing the list and overseeing protection efforts once the task force disbands in 2021. In January 2021, we recommended that DOD designate an organization to take over this responsibility to ensure that DOD’s current efforts to protect critical technologies do not stall. DOD partially concurred with this recommendation noting that it has not decided on an oversight mechanism, but recognizes the need for department-wide collaborative efforts to protect critical technologies.

In October 2020, the White House released its National Strategy for Critical and Emerging Technologies, which outlines the administration’s approach to protecting critical technologies as well as promoting investment and innovation. The strategy, which was developed by the National Security Council, encourages unity of effort across federal agencies and identifies 20 technology areas as critical and emerging, including artificial intelligence, biotechnologies, and space technologies.

The strategy further outlines the types of activities the U.S., with its allies and partners, should consider to maintain world leadership in these areas. According to DOD officials, DOD organizations—including the task force—and other federal agencies are expected to coordinate on how they will implement the strategy.

The Foreign Investment Risk Review Modernization Act of 2018 strengthened and modernized the activities of the Committee on Foreign Investment in the U.S., in part, by expanding the scope of covered transactions, increasing the time allowed to review a transaction, and granting special hiring authorities.

Capacity: partially met. DOD is assigning mandatory protection measures to the critical acquisition programs and technologies identified through the task force’s revised process.

However, DOD officials stated that the cost of implementing the protection measures has not been determined and will have to be balanced against competing funding demands. This determination could affect DOD’s ability to fully implement these protection measures as intended. We plan to monitor DOD’s efforts to implement protection measures.

Additionally, in 2018 we recommended that the Department of the Treasury (Treasury) coordinate with member agencies to better understand the workforce necessary to handle the Committee on Foreign Investment in the United States’ increasing workload. We also recommended that DOD identify the resources needed, among other things, to implement the National Industrial Security Program’s new piloted approach for overseeing contractors with access to classified material.

As of December 2020, Treasury has not addressed our recommendation while DOD has taken some action. Specifically, in 2019 DOD centralized its oversight of contractors with facilities that do not store classified materials. This has reduced the burden on field-based industrial security representatives and created an opportunity for the representatives to better address risk and communications with contractors that store classified information at their facilities. We will continue monitoring these efforts, especially since the Foreign Investment Risk Review Modernization Act provides some tools for Treasury and DOD to address workforce needs.

Action plan: partially met. The task force has outlined a revised four-step process to identify, communicate, protect, assess, and oversee DOD’s critical acquisition programs and technologies. For example, it provided guidance and instructions to DOD components on how to identify and prioritize their critical acquisition programs and technologies, as well as protection measures that should be implemented.

However, the task force has not provided direction to DOD components on how to share the annual critical acquisition programs and technologies list effectively across the department and with other federal agencies. In January 2021, we recommended that DOD determine a process for communicating its future critical acquisition programs and technologies lists to all relevant DOD organizations and federal agencies. DOD concurred with this recommendation noting that disseminating its critical acquisition programs and technologies list is key to the department’s efforts to protect critical technologies.

In addition, according to DOD officials, agencies involved in developing the White House’s National Strategy for Critical and Emerging Technologies will be identifying steps to implement the strategy. We will monitor DOD and other agencies’ implementation efforts moving forward.

Related to export controls, the Departments of State and Commerce implemented a recommendation we made in March 2019 by establishing a Memorandum of Understanding between the two agencies to share information from their respective watch lists to facilitate screening export license applications, including those for certain firearms.

In May 2020 we reported that universities raised concern that guidance and outreach from the Departments of State and Commerce did not adequately address university-specific export compliance issues. In addition, we noted that the universities’ perception that DOD misunderstands what constitutes fundamental research could potentially hinder universities’ abilities to conduct research for DOD.

All three agencies concurred with recommendations to update guidance or increase awareness to address these issues but have not yet taken action to implement them. Additionally, the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 amended a provision of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 requiring DOD to establish an initiative to work with institutions of higher education that, among others, perform defense research and engineering activities to support the protection of information about critical technologies relevant to national security.

Monitoring: partially met. DOD’s task force established time frames for implementing its revised four-step process to identify and protect its critical programs and technologies. However, the task force has not yet established metrics to assess the sufficiency of its protection measures.

In January 2021, we recommended that DOD develop and periodically review appropriate metrics to assess the implementation and sufficiency of protection efforts that would enable programs to assess their own protection efforts, and allow military departments or the Office of the Under Secretary of Defense to assess protection efforts more broadly. DOD partially concurred with this recommendation noting that it is considering future technology protection roles and responsibilities that may include establishing metrics to ensure effective implementation of protection requirements across the department.

Additionally, DOD has not implemented a recommendation we made in 2017 to measure progress and develop corresponding metrics related to changes to policies and procedures supporting the anti-tamper program. This program establishes methods, such as encryption and hardware protective coatings, to help delay the exploitation of technologies lost on the battlefield.

Demonstrated progress: partially met. Agencies have taken steps to improve their respective protection program over the past 2 years, but collective coordination of protection efforts across the agencies involved still needs improvement. Among the steps taken, the Departments of State and Commerce established a Memorandum of Understanding to share their watch lists. In addition, Treasury updated information on its website in March 2018 in response to our recommendation to clarify the requirement for geographic coordinates when filing a transaction with the Committee on Foreign Investment in the U.S to better identify potential national security concerns.

DOD’s actions to develop and maintain a list of its critical acquisition programs and technologies are intended to inform interagency protection efforts as well as offer an opportunity to demonstrate progress on information sharing and coordination across the federal agencies.

What Remains to Be Done

The need for action remains across the agencies and within the protection programs. Addressing recommendations we made in January 2021 aimed at strengthening DOD’s efforts to protect its critical technologies and improving coordination among the agencies responsible for programs designed to protect technologies critical to national security could lead to improvements in each of the criteria above. In particular, DOD should
  • designate the DOD organization that will be responsible for overseeing the department’s protection efforts;
  • provide direction to the DOD components for communicating DOD’s critical acquisition programs and technologies list to other federal agencies; and
  • implement protection measures associated with DOD’s revised efforts and establish measurable metrics to monitor the sufficiency of these efforts.

To strengthen agency protection programs, agencies should
  • address resource issues in the Committee on Foreign Investment in the United States; and
  • follow up on data collection and tracking recommendations for the anti-tamper program.

Related GAO Products

DOD Critical Technologies: Plans for Communicating, Assessing, and Overseeing Protection Efforts Should Be Completed . GAO‑21‑158. Washington, D.C.: January 12, 2021.

Export Controls: State and Commerce Should Improve Guidance and Outreach to Address University-Specific Compliance Issues. GAO‑20‑394. Washington, D.C.: May 12, 2020.

Export Controls: State and Commerce Should Share Watch List Information If Proposed Rules to Transfer Firearms Are Finalized. GAO‑19‑307. Washington, D.C.: March 1, 2019.

Committee on Foreign Investment in the United States: Action Needed to Address Evolving National Security Concerns Facing the Department of Defense. GAO‑18‑494. Washington, D.C.: July 10, 2018.

Defense Industrial Base: Integrating Existing Supplier Data and Addressing Workforce Challenges Could Improve Risk Analysis. GAO‑18‑435. Washington, D.C.: June 13, 2018.

Protecting Classified Information: Defense Security Service Should Address Challenges as New Approach Is Piloted. GAO‑18‑407. Washington, D.C.: May 14, 2018.

Committee on Foreign Investment in the United States: Treasury Should Coordinate Assessments of Resources Needed to Address Increased Workload. GAO‑18‑249. Washington, D.C.: February 14, 2018.

Foreign Military Sales: DOD Needs to Improve Its Use of Performance Information to Manage the Program. GAO‑17‑703. Washington, D.C.: August 22, 2017.

DOD Critical Technologies: Additional Actions Needed to Ensure Consistent Protection of Weapon Systems. GAO-17-292SU. Washington, D.C.: May 9, 2017.

Improving Federal Oversight of Food Safety

A government-wide approach is needed to address fragmentation in the federal food safety oversight system.

Why Area Is High Risk

The safety and quality of the U.S. food supply, both domestic and imported, are governed by a highly complex system stemming from at least 30 federal laws that are collectively administered by 15 federal agencies. We have long reported on the fragmented federal food safety oversight system, which has caused inconsistent oversight, ineffective coordination, and inefficient use of resources. We added federal oversight of food safety to the High-Risk List in 2007. In recent years, we have made recommendations aimed at helping to reduce fragmentation in federal food safety oversight.

A 2011 estimate by CDC—its most recent—indicates that, as a result of foodborne illness, roughly one in six Americans (48 million people) gets sick each year, 128,000 are hospitalized, and 3,000 die. CDC data for 2010 to 2014 also show that the number of reported multistate foodborne illness outbreaks is increasing. CDC cites several potential contributors to the increase in reported multistate outbreaks, including greater centralization of food processing practices, wider food distribution, and improved detection and investigation methods.

Contact Information

For additional information about this high-risk area, contact Steve Morris at Morriss@gao.gov or (202) 512-3841.

Since our 2019 High-Risk Report, ratings for all five criteria remain unchanged.

Leadership commitment: partially met. The U.S. Departments of Agriculture (USDA) and Health and Human Services (HHS) have now both demonstrated leadership by updating their strategic and performance-planning documents to better address crosscutting food safety efforts, as we recommended in December 2014.

In addition, according to the Office of Management and Budget (OMB), the administration is working toward greater coordination among federal agencies through the framework of the FDA Food Safety Modernization Act (FSMA), enacted in 2011. For example, the Food and Drug Administration (FDA) has demonstrated leadership by continuing to collaborate with USDA on the Produce Safety Rule, which went into effect in 2016, to support the implementation of FSMA.

However, federal agencies have not developed a national plan or strategy for food safety. Specifically, Congress has not directed OMB to develop a government-wide performance plan for food safety to address our December 2014 matter, and the administration has not taken action to develop such a plan or to address our January 2017 recommendation to develop a national strategy for food safety. To more fully demonstrate leadership in this area, the administration should develop for food safety either a government-wide performance plan or, at a minimum, a national strategy.

Capacity: partially met. Federal food safety agencies would benefit from a centralized collaborative mechanism on food safety. In 2009, the President established the Food Safety Working Group (FSWG) to coordinate federal food safety efforts; however, this group has not met in nearly 10 years. Congressional action is required to formalize such a mechanism through statute.

Identifying resources needed to carry out the food safety mission would be an important part of a government-wide performance plan or, at a minimum, a national strategy for food safety. Developing such a plan or strategy that encompasses the contributions of all federal agencies with a food safety role would demonstrate capacity and could address our December 2014 matter and our January 2017 recommendation.

Action plan: not met. Without an action plan, such as a government-wide performance plan or, at a minimum, a national strategy for food safety, Congress, program managers, and other decision makers are hampered in their ability to identify agencies and programs addressing similar missions and to set priorities, allocate resources, and restructure federal efforts, as needed, to achieve long-term goals.

Such a national strategy for food safety that fulfills government-wide planning needs should, among other things, have a clearly stated purpose, establish sustained leadership, identify resource requirements, and describe how progress will be monitored.

Moreover, without a centralized collaborative mechanism—such as the FSWG—to address food safety, agencies do not have a forum to agree on a set of broad-based food safety goals and objectives that could be articulated in a government-wide performance plan or national strategy on food safety.

Monitoring: not met. A government-wide performance plan or, at a minimum, a national strategy for food safety, would facilitate effective monitoring of federal food safety efforts so the efforts would be clear and transparent to Congress and the public.

To understand federal food safety oversight actions, currently Congress, program managers, other decision makers, and the public must access, attempt to make sense of, and reconcile individual documents across the many federal agencies that administer federal statutes governing food safety and quality.

A government-wide performance plan or national strategy would enable Congress and the agencies to monitor the effectiveness of federal food safety programs, particularly those involving more than one agency, and identify areas needing corrective measures.

Demonstrated progress: partially met. Since our 2019 High-Risk Report, USDA has joined HHS in implementing our 2014 recommendations to update their strategic and performance planning documents to more fully describe how they are working with other agencies to achieve their food safety-related goals and objectives.

Nevertheless, the agency-by-agency focus of individual planning documents does not provide the integrated perspective on federal food safety performance necessary to guide congressional and executive branch decision-making and inform the public about federal actions to ensure food safety. Those individual documents could, however, provide building blocks toward the next step of developing a single, government-wide performance plan for food safety.

FDA and USDA also continue to collaborate on food safety through joint working groups and information sharing practices, such as the Interagency Foodborne Outbreak Response Collaboration and the Interagency Risk Assessment Consortium. However, the development of a broader government-wide performance plan or, at a minimum, a national strategy for food safety is still needed and could involve other agencies, such as those that we have identified as having a food safety role.

These agencies include (1) the Centers for Disease Control and Prevention (CDC), which identifies and coordinates the investigation of foodborne illness outbreaks to protect the public health; (2) the Department of Commerce’s National Marine Fisheries Service, which provides voluntary fee-for-service examinations of seafood for safety and quality; and (3) the Department of Homeland Security’s Customs and Border Protection, which, among other things, inspects imports of food products, plants, and live animals for compliance with U.S. law and assists federal agencies in enforcing their regulations at the border.

A government-wide performance plan or national strategy for food safety that includes the multiple agencies with a food safety role could foster sustained progress in addressing fragmentation in the federal food safety oversight system.

What Remains to Be Done

Since food safety was added to the High-Risk List in 2007, we have made numerous recommendations to enhance collaboration among agencies with food safety responsibilities. As of December 2020, seven of these recommendations are still open. There is one open recommendation that is significant for removing food safety from the High-Risk List:
  • In 2017, we recommended that appropriate entities within the Executive Office of the President (EOP), in consultation with relevant federal agencies and other stakeholders, develop a national strategy for food safety that, among other things, establishes high-level sustained leadership, identifies resource requirements, and describes how progress will be monitored. The EOP did not provide comments on our recommendation

Congressional Actions Needed

As of December 2020, there are three open matters for congressional consideration that are significant for removing food safety from the High-Risk List: two since 2007 and one dating to 2001:
  • In 2014, we suggested that Congress consider directing OMB to develop a government-wide performance plan for food safety that includes results-oriented goals and performance measures and a discussion of strategies and resources.
  • In 2014, we suggested that Congress consider formalizing the FSWG through statute to help ensure sustained leadership across food safety agencies over time.
  • In 2001, we suggested that Congress consider commissioning the National Academy of Sciences or a blue ribbon panel to conduct a detailed analysis of alternative organizational food safety structures and report the results of such an analysis to Congress.

We would accept either a government-wide performance plan or, at a minimum, a national strategy for food safety to address many of the concerns raised in our work.

Related GAO Products

Food Safety: FDA and USDA Could Strengthen Existing Efforts to Prepare for Oversight of Cell-Cultured Meat. GAO‑20‑325. Washington, D.C.: April 7, 2020.

Food Safety: Federal Efforts to Manage the Risk of Arsenic in Rice. GAO‑18‑199. Washington, D.C.: March 16, 2018.

Imported Seafood Safety: FDA and USDA Could Strengthen Efforts to Prevent Unsafe Drug Residues. GAO‑17‑443. Washington, D.C.: September 15, 2017.

Food Safety: A National Strategy Is Needed to Address Fragmentation in Federal Oversight. GAO‑17‑74. Washington, D.C.: January 13, 2017.

Food Safety: FDA Coordinating with Stakeholders on New Rules but Challenges Remain and Greater Tribal Consultation Needed. GAO‑16‑425. Washington, D.C.: May 19, 2016.

Federal Food Safety Oversight: Additional Actions Needed to Improve Planning and Collaboration. GAO‑15‑180. Washington, D.C.: December 18, 2014.

Federal Food Safety Oversight: Food Safety Working Group Is a Positive First Step but Governmentwide Planning Is Needed to Address Fragmentation. GAO‑11‑289. Washington, D.C.: March 18, 2011.

Food Safety and Security: Fundamental Changes Needed to Ensure Safe Food. GAO‑02‑47T. Washington, D.C.: October 10, 2001.

Protecting Public Health through Enhanced Oversight of Medical Products

The Food and Drug Administration needs to increase monitoring of medical products manufactured overseas and improve planning for drug shortages.

Why Area Is High Risk

Millions of medical products—drugs, biologics, and medical devices—are used daily by Americans at home, in the hospital, and in other health care settings. FDA has the vital mission of protecting the public health by overseeing the safety and effectiveness of these products marketed in the United States. The agency’s responsibilities begin long before a product is brought to market and continue after FDA approves a product, regardless of whether it is manufactured in the United States or abroad.

FDA has been confronted with multiple challenges, including (1) rapid changes in science and technology, (2) globalization as many products are manufactured abroad, (3) unpredictable public health crises, (4) an increasing workload to ensure medical product availability, and (5) the continuing need to monitor the safety of thousands of marketed medical products. The oversight of medical products was added to our High-Risk List in 2009 because these obstacles threatened to compromise FDA’s ability to protect public health. While progress has been made, FDA continues to face these challenges as well as the additional challenge of the COVD-19 pandemic.

Contact Information

For additional information about this high-risk area, contact Mary Denigan-Macauley or John E. Dicken at (202) 512-7114 or deniganmacauleym@gao.gov or dickenj@gao.gov.

Since our 2019 High-Risk Report, our assessment of efforts to address ratings for all five criteria remains unchanged. The Food and Drug Administration (FDA) continues to demonstrate leadership support for improving its oversight of medical products for both the globalization and drug availability segments. However, the agency has not fully met the remaining criteria.

In the globalization segment of this high-risk area, the capacity criterion has regressed from met to partially met. In the drug availability segment, the five criteria remain unchanged. FDA’s effective oversight will be especially important to ensuring the availability of medical products needed to fight the Coronavirus Disease 2019 (COVID-19) pandemic.

Response to Globalization

Since our 2019 High-Risk Report, ratings in this segment for four criteria remain unchanged. However, the capacity criterion regressed to partially met.

Leadership commitment: met. FDA met this criterion in 2015. The agency continues to demonstrate leadership commitment by (1) reorganizing its office dedicated to confronting the challenges of globalization in 2019, and (2) releasing a new 5-year strategic plan in March 2020.

Continued commitment from leadership will be important for FDA’s ability to respond to ongoing and evolving challenges. For example, the COVID-19 pandemic affected FDA’s ability to conduct inspections of foreign drug manufacturers, limiting a critical source of information about the quality of drugs manufactured for the U.S. market. Addressing its challenges will require sustained leadership focus.

Capacity: partially met. FDA now partially meets this criterion—regressing from met in our 2019 High-Risk Report. From fiscal years 2012 through 2016, FDA conducted an increasing number of inspections of foreign drug manufacturing establishments. However, in fiscal years 2017 and 2018, these inspections decreased.

FDA officials attributed this decrease to, in part, vacancies in the number of investigators available to conduct inspections. In June 2020, we reported that FDA had vacancies among each of the groups of investigators who conduct foreign inspections. For example, within its foreign offices in China and India, about one-third of its drug investigator positions were vacant.

Further, in March 2020, FDA announced that, due to COVID-19, it was postponing almost all inspections of foreign establishments. While FDA indicated it has other tools to ensure the safety of the U.S. drug supply, the lack of foreign inspections removes a critical source of information about these drugs. As of January 2021, FDA did not have an expected date for resuming regular foreign inspections in all countries.

Action plan: met. FDA met this criterion in 2015 and continues to take steps to meet it. In March 2020, the agency released a 5-year strategic plan to guide the activities of the office that overseas its global activities. It also partnered with European regulators to leverage their resources. By July 2019, FDA had determined that 28 European regulators were capable of conducting inspections that meet FDA’s requirements. In fiscal year 2020, during the postponement of inspections, FDA increased its reliance on inspections from these regulators in lieu of conducting its own inspections.

Monitoring: partially met. FDA has taken steps to better monitor its program for inspecting foreign establishments by improving the accuracy and completeness of information on foreign establishments subject to inspection. However, despite these steps, in June 2020, we reported that data challenges continued to make it difficult for FDA to accurately identify foreign establishments subject to inspection.

Specifically, since 2017, FDA pursued an initiative to inspect approximately 1,000 foreign establishments lacking an inspection history. FDA completed this initiative, but, in doing so, it found that a sizeable percentage of the establishments in its data system did not have to be inspected by FDA (e.g., about 40 percent of those assigned to its office in China in fiscal years 2017 and 2018). For example, some were not subject to inspection because it turned out they did not actually manufacture drugs for the U.S. market. FDA also has not fully developed measures allowing it to systematically track how its foreign office activities contribute to drug safety outcomes.

In addition, FDA has not yet completed its efforts to develop performance measures for the foreign offices and assess their effectiveness. In August 2020, FDA reported that it was revising and updating its measures and its approach to evaluating impact to align with the strategic plan.

Demonstrated progress: partially met. FDA has taken steps to respond to globalization, including (1) improving the accuracy and completeness of its information on foreign manufacturers, and (2) deciding it will no longer allow more than 5 years to elapse between inspections at a specific establishment.

However, in June 2020, we reported that FDA continued to face challenges when conducting foreign inspections that raised questions about their equivalence to domestic inspections. In particular, while domestic inspections are almost always unannounced, officials said that FDA generally preannounces foreign inspections about 12 weeks in advance, which may give manufacturers the opportunity to fix problems. These challenges are further complicated by the pause in inspections resulting from the COVID-19 pandemic. FDA must address these challenges and demonstrate that it can maintain its oversight of drugs manufactured overseas.

What Remains to Be Done

Since we added this area to our High-Risk List, we have made numerous recommendations related to the agency’s response to globalization.
  • As of December 2020, two recommendations remain open related to the development of performance measures and assessing the effectiveness of the foreign offices.
  • FDA should also ensure all establishments are inspected at an appropriate frequency and take steps to address the staffing and other challenges associated with inspecting foreign establishments. The COVID-19 pandemic has exacerbated some of these challenges, making continued commitment from leadership especially important.

Drug Availability

Since our 2019 High-Risk Report, ratings for all five criterion in this segment remain unchanged. FDA continues to meet the criteria for leadership commitment and for monitoring.

Leadership commitment: met. In the 2015 High-Risk Report, we recognized FDA demonstrated leadership commitment to drug availability by (1) issuing a strategic plan for preventing and mitigating drug shortages, and (2) including in its strategic priorities the agency’s ability to respond to drug shortages.

FDA’s commitment to addressing this public health concern continues to be strong, as evidenced by the continued meeting of its drug shortages task force that started in 2013. Additionally, FDA established an interagency task force in July 2018 to identify the root causes of drug shortages and provide solutions, which culminated in an October 2019 report that offered recommendations for FDA and others.

Capacity: partially met. As noted in the 2019 High-Risk Report, FDA improved its capacity to respond to drug shortages, but the agency alone cannot resolve these shortages. In September 2020, FDA described efforts that it was taking to promote the use of new manufacturing techniques that have the potential to shorten production times and improve the efficiency of manufacturing processes.

In addition, the October 2019 report from FDA’s Drug Shortages Task Force included recommendations for industry, such as to promote contracting practices that would help ensure a more reliable supply of medically important drugs.

Beyond drug shortages, FDA has also faced oversight challenges that could affect the availability of drugs. For example, FDA has reported that (1) it has not had sufficient resources to adequately regulate over-the-counter drugs (e.g., cough and cold medications); and (2) a lengthy regulatory process has hindered the availability of new drug ingredients to the U.S. market. Consequently, the agency noted it has not allowed the marketing of many new over-the-counter drugs or made timely changes to existing over-the-counter drugs based on emerging safety issues or evolving science.

In March 2020, FDA received additional statutory authorities, including the authority to collect user fees from manufacturers of over-the-counter drugs, that officials said could allow FDA to address identified safety risks in a more timely and efficient manner. However, FDA officials said it will take time before FDA is able to fully realize any benefits that might result from these changes. For example, according to FDA, it generally takes 2 years for any newly hired FDA staff to complete training and be fully effective in reviewing scientific information related to the regulation of over-the-counter drugs.

Action plan: partially met. In October 2019, FDA’s Drug Shortages Task Force examined the root causes of drug shortages and made recommendations for FDA and others. However, FDA still has not used the drug shortages data it collects to analyze trends or identify patterns to help predict future shortages to assist with managing efforts. In August 2020, FDA reported it had begun modeling efforts to explore the feasibility of predicting future drug shortages and would identify next steps after it completes these initial efforts.

We also reported on other opportunities FDA has to increase drug availability. Specifically, in August 2019, we reported that in its review of generic versions of brand name drugs, FDA needed to (1) address inconsistencies in written comments provided by FDA reviewers that could lead to longer reviews, and (2) assess the extent to which actions by brand-name drug companies affect the approval of generic versions. In December 2020, FDA indicated it was taking steps to address both issues.

In addition, FDA still needs to take actions to address shortcomings in its broader strategic planning efforts. For example, FDA needs to engage in a strategic planning process to identify challenges that cut across each of its centers responsible for overseeing medical products and document how it will achieve measurable goals and objectives in these areas.

Monitoring: met. In the 2019 High-Risk Report, we recognized that FDA met this criterion through the consistent use of its drug shortage information system to track potential and existing shortages. The agency established formal procedures for using the system and performance measures to evaluate its ability to respond when shortages occur.

FDA has continued to issue annual reports on drug shortages data, most recently in April 2020. At the beginning of the COVID-19 pandemic, FDA asked more than 180 drug manufacturers to evaluate their supply chain for elements manufactured in China; FDA then monitored these companies for drug shortage risks.

Demonstrated progress: partially met. FDA has demonstrated progress to improve its ability to respond to drug shortages. However, FDA has not implemented all of our recommendations, such as periodically analyzing its shortage data to proactively identify risk factors.

Additionally, drug shortages remain a public health concern, and one that has been further complicated by the COVID-19 pandemic. For example, FDA temporarily authorized the emergency use of chloroquine and hydroxychloroquine to treat COVID-19. However, the products then went into shortage and were unavailable to treat other conditions (e.g., lupus and rheumatoid arthritis), for which the drug was already approved.

What Remains to Be Done

Since we added this area to our High-Risk List, we have made numerous recommendations related to drug availability, three of which were made since the last High-Risk Report in March 2019. As of December 2020, nine recommendations remain open. Although FDA alone cannot guarantee drug availability, the agency can take important steps to help ensure that safe and effective drugs are accessible to patients. FDA should implement our recommendations, including to
  • conduct periodic analyses to assess drug shortage information to proactively identify risk factors for potential drug shortages;
  • take additional steps to address inconsistency in its written comments to generic drug application sponsors that can lead to longer reviews; and
  • plan strategically to identify challenges that cut across FDA’s multiple centers overseeing medical products, and document how the agency will achieve measurable goals and objectives in these areas.

Related GAO Products

COVID-19: Federal Efforts Accelerate Vaccine and Therapeutic Development, but More Transparency Needed on Emergency Use Authorizations. GAO‑21‑207. Washington, D.C.: November 17, 2020.

Over-the-Counter Drugs: Information on FDA's Regulation of Most OTC Drugs. GAO‑20‑572. Washington, D.C.: July 29, 2020.

Drug Safety: COVID-19 Complicates Already Challenged FDA Foreign Inspection Program. GAO‑20‑626T. Washington, D.C.: June 2, 2020.

Generic Drug Applications: FDA Should Take Additional Steps to Address Factors That May Affect Approval Rates in the First Review Cycle. GAO‑19‑565. Washington, D.C.: August 7, 2019.

Drug Safety: FDA Has Improved Its Foreign Drug Inspection Program, but Needs to Assess the Effectiveness and Staffing of Its Foreign Offices. GAO‑17‑143. Washington, D.C.: December 16, 2016.

Drug Shortages: Public Health Threat Continues, Despite Efforts to Help Ensure Product Availability. GAO‑14‑194. Washington, D.C.: February 10, 2014.

Transforming EPA’s Process for Assessing and Controlling Toxic Chemicals

The Environmental Protection Agency needs to improve its monitoring efforts to assess and control chemicals that pose risks to human health and the environment.

Why Area Is High Risk

EPA’s ability to effectively implement its mission of protecting public health and the environment is dependent on assessing in a credible and timely manner the risks posed by chemicals in commerce and those that have yet to enter commerce. EPA’s programs under IRIS and TSCA are the two segments in this high-risk area.

The IRIS Program’s chemical assessments are the cornerstone of scientifically sound environmental decisions, policies, and regulations under a variety of statutes, such as the Safe Drinking Water Act and the Clean Air Act. EPA prepares assessments of chemical hazards to human health under its IRIS Program, among others, for making environmental protection and risk-management decisions.

EPA is authorized under TSCA to review chemicals, including conducting risk evaluations, obtain more information on them, and control chemicals the agency determines pose an unreasonable risk to human health. TSCA was amended in 2016 by the Frank R. Lautenberg Chemical Safety for the 21st Century Act. The Lautenberg Act will take years to implement because of the complexity and scope of the legislation.

Because EPA had not developed sufficient chemical assessment information under these programs to limit exposure to many chemicals that may pose substantial health risks, we added this issue to the High-Risk List in 2009 as a government program in need of broad-based transformation.

Contact Information

For additional information about this high-risk area, contact J. Alfredo Gómez at (202) 512-3841 or gomezj@gao.gov.

Since our 2019 High-Risk Report, four criteria remain unchanged. However, the rating for monitoring decreased from partially met to not met in 2021. Furthermore, ratings for three criteria in the Integrated Risk Information System (IRIS) Program and four criteria in the Toxic Substances Control Act (TSCA) segments declined.

Integrated Risk Information System

Since 2019, ratings for capacity and action plan remain unchanged, as partially met. However, ratings for leadership commitment, monitoring, and demonstrated progress declined to not met.

Leadership commitment: not met. This rating declined from partially met in 2019. We reported in March 2019 that the Environmental Protection Agency (EPA) Administrator had not identified the IRIS Program as among his top priorities for the agency. Furthermore, the Administrator’s congressional budget justification for fiscal year 2021 proposed a 34 percent ($12.7 million) cut to the Health and Environmental Risk Assessment area’s budget, approximately half of which is the IRIS Program’s budget. This is the fourth year in a row that the Administrator has proposed such a reduction. Although Congress in prior years directed that funding remain at fiscal year 2017 enacted levels, the Administrator’s proposed budget cut contributed to the decline in rating for leadership to not met.

Additionally, EPA’s agency-wide strategic plan for fiscal years 2018 through 2022 does not mention the IRIS Program. Although the strategic plan has a section focused on human health risk assessments, it does not explain how the IRIS Program’s work supports EPA’s goals of protecting human health and the environment.

In our December 2020 report, we found that EPA would benefit from increasing transparency about the IRIS Program’s processes and work. For example, EPA did not publicly explain continued delays in chemical assessment production, and program and regional offices’ processes for nominating chemicals for assessment lacked transparency and structure. We recommended that EPA provide more information publicly about where chemical assessments are in the development process, internal and external steps in the process, and changes to assessment milestones.

Capacity: partially met. According to officials, EPA’s workforce has remained fairly stable since 2018 but the agency could not provide us with documents indicating any workforce planning or analysis. Although the workforce remained stable, in December 2018 EPA decreased the number of assessments the IRIS Program was working on from 22 to 13 (two more assessments were started in 2019 bringing the total to 15 ongoing assessments as of December 2020). EPA did not indicate why there was a reduction in the number of assessments in development. In addition, EPA has not made public any information about the program’s current or future resource capacity for meeting EPA-wide needs for chemical assessments.

Action plan: partially met. We reported in December 2020 that EPA has a draft strategic research action plan for the Health and Environmental Risk Assessment National Research Area, of which the IRIS Program is a part. Although this plan does not address our May 2013 recommendation that EPA develop an agency-wide strategy to address unmet needs internally and to coordinate externally, it calls for coordinating the work of several Office of Research and Development (ORD) programs—including IRIS—that produce chemical assessments. Planning for such coordination of the various assessments ORD produces is encouraging, but reviews of the plan found that it lacks important details.

For example, it did not include an implementation strategy or metrics to define progress or mention the resources the IRIS Program needs to produce chemical assessments to meet user needs. EPA neither provided an update about the plan’s status nor information on the agency’s plans for implementation.

Monitoring: not met. This rating declined from met for two reasons. First, as we reported in December 2020, despite a decline in participation in the assessment nomination process from 2018 to 2019, EPA has not assessed whether this survey is achieving its intended purpose and is generating quality information. While EPA reported that it gathered feedback from its senior leadership about the nomination process, it did not have information on how feedback informed future monitoring efforts. Second, ORD’s advisory committee review of the Health and Environmental Risk Assessment strategic research action plan found that the plan did not include an implementation strategy or metrics to define progress and allow for monitoring.

To make progress in this area, EPA needs to include implementation steps in its strategic plan, define clear metrics for assessing program progress in meeting objectives, and show that it is monitoring the IRIS Program as a whole as well as continuing to assess specific activities—such as the survey—to ensure they are achieving stated objectives.

Demonstrated progress: not met. The IRIS Program’s objective is to issue chemical assessments for use in EPA’s risk evaluation and management activities. However, the program did not issue any completed assessments between August 2018 and December 2020. We also found that since December 2018, the IRIS Program had publicly released nine supporting documents for ongoing chemical assessments—primarily documents that indicate how assessments will be developed—but few chemical assessments had progressed through the assessment development process.

For example, two assessments completed peer review in February 2019—the fourth of seven steps in the assessment development process—but have yet to be finalized and released publicly as of December 2020. For most chemical assessments the program is developing, projected milestone dates have been delayed at least a quarter.

EPA told us that changes in IRIS assessment schedules are typically due to the scientific complexities of each assessment and availability of staff with the appropriate expertise. However, EPA did not identify the scientific complexities associated with any specific assessment or explain why it did not anticipate and resolve these unspecified complexities.

What Remains to Be Done

Since we added the IRIS Program to our High-Risk List in 2009, we have made 14 recommendations related to the IRIS segment of this high-risk area, including five recommendations in our December 2020 report. As of December 2020, nine recommendations remain open. As we noted in several reports, to make progress EPA should, among other things,
  • indicate how EPA programs, including the IRIS Program, are being resourced and coordinating with each other to meet EPA-wide needs;
  • increase transparency by publishing IRIS agendas on which chemicals EPA is actively assessing and when it plans to start assessments of the other listed chemicals to demonstrate progress; and
  • complete an action plan with a strategy to address the needs of EPA program offices and regions when IRIS toxicity assessments are unavailable.

Our December 2020 chemical assessments report provides further information on what remains to be done to address challenges in the IRIS Program.

Congressional Actions Needed

Congress should consider what resources the IRIS Program needs to ensure it can produce the chemical assessments EPA offices require to perform their work.

Toxic Substances Control Act

Since our 2019 High-Risk Report, ratings for demonstrated progress remained unchanged. However, ratings for leadership commitment declined from met to partially met; ratings for capacity, action plan, and monitoring declined from partially met to not met.

Leadership commitment: partially met. TSCA remains an agency priority as noted in testimony by the Administrator and in the most recent budget request. The EPA budget request for fiscal year 2021 includes an increase of $8.5 million for TSCA implementation and $4 million for TSCA records digitization. But in May 2020, the Administrator stated that EPA would not meet its deadlines for releasing the first 10 chemical risk evaluations; EPA stated that it would complete them by the end of 2020. The Administrator also stated in May 2020 that EPA had identified the next 20 high-priority chemicals for risk evaluation and that scoping documents that include information to be included in the risk evaluations, such as the chemical hazards and exposures, would be released in mid-2020.

Capacity: not met. The 2016 Lautenberg Act provided EPA with greater authority to address chemical risks, which consequently increased EPA’s responsibility for regulating chemicals and increased its workload. However, the Office of Pollution Prevention and Toxics (OPPT), which implements TSCA, did not meet statutory deadlines for its first 10 high-priority risk evaluations, according to the EPA Office of the Inspector General’s (OIG) August 2020 report. Furthermore, OIG found that OPPT would be required to produce double the number of risk evaluations by the end of 2022 with only a slight increase in the number of staff.

Additionally, as of December 2020, EPA had not implemented the recommendation we made in 2013 regarding TSCA’s ability to identify resources needed to conduct risk assessments. Specifically, EPA program offices have not identified workforce needs for budget justification purposes since 1987, according to the August 2020 OIG report.

The OIG report also stated that OPPT expected to hire more than 50 staff members in fiscal year 2020 but had not conducted a workforce and workload analysis to demonstrate that, even with 50 additional staff, it would have the capacity to successfully implement the TSCA requirements by the statutory deadlines. Although EPA officials said they are preparing a workforce analysis, they did not provide a draft to us.

In addition to the challenges of meeting existing deadlines, EPA has to incorporate a recent court ruling into its ongoing risk evaluations. Under this ruling, EPA must evaluate the risks associated with the use and disposal of chemicals that are not being, and are not expected to be, manufactured, processed, or distributed—called legacy uses. For example, polychlorinated biphenyls (PCBs) were produced until the late 1970s, when their production was banned in the United States. But older products such as fluorescent lights, caulking, and paints may contain PCBs, and remain a concern for workers and consumers. According to EPA’s OIG, the resulting expansion of the scope of EPA’s risk evaluation process will require the agency to devote more staffing and resources to existing chemical risk evaluations.

Action plan: not met. The TSCA amendments require EPA to publish a plan at the beginning of each calendar year for completing risk evaluations of chemicals already in commerce. The plan must identify (1) risk evaluations to be initiated or completed that year, (2) necessary resources, and (3) an updated schedule for completing risk evaluations.

However, the August 2020 OIG report found that OPPT’s annual plans did not meet the statutory requirement. The plans did not identify steps to complete future work or specify the financial and staff resources needed to initiate or complete the risk evaluations for that year. EPA partially agreed with the OIG’s recommendation to include anticipated implementation efforts and financial and staff resources in its annual reports to Congress, beginning in 2021.

Monitoring: not met. Although OPPT has developed annual performance goals that correspond to EPA’s long-term performance goals, the agency did not provide us with the underlying metrics or information on how they influenced changes to improve performance. The August 2020 OIG report indicates that OPPT has done no workforce or workload planning to ensure it can meet TSCA deadlines. EPA agreed with the OIG’s recommendations to perform a workforce analysis—as mentioned above—and a skills gap analysis.

Demonstrated progress: partially met. EPA took regulatory actions, including finalizing a rule that requires EPA to, for example, review certain new uses of per- and polyfluoroalkyl substances in surface coatings, such as apparel and carpet, before these products can be imported into the U.S.

As required by TSCA, as amended, EPA was due to release its first 10 high-priority risk evaluations in December 2019, but the agency was unable to meet that deadline and required a 6-month extension for all 10 risk evaluations. EPA did not meet the original or extended deadline; they had released nine of 10 risk evaluations by the end of December 2020.

However, EPA did not (1) publicly release scoping documents for its next 20 risk evaluations by the June 2020 deadline, or (2) include in its annual plans updates on its progress in completing the risk evaluations that are due by the end of 2022. And as noted above, a 2019 court ruling will require EPA to revise its risk evaluation process; EPA has not released information about incorporating these changes into its risk evaluations.

What Remains to Be Done

Since we added TSCA implementation to our High-Risk List in 2009, we have made three recommendations related to this high-risk area, of which one remains open. Specifically, EPA needs to carry out workforce planning to ensure it has the resources and plans in place to facilitate progress on chemical risk evaluations and other work implementing TSCA. EPA needs to issue 20 high-priority risk evaluations by December 2022 and submit annual plans to Congress that contain details about resource needs and implementation steps for completing mandated work.

Related GAO Products

Chemical Assessments: Annual Survey Inconsistent with Leading Practices in Program Management. GAO‑21‑156. Washington, D.C.: December 18, 2020.

Chemical Assessments: Status of EPA’s Efforts to Produce Assessments and Implement the Toxic Substances Control Act. GAO‑19‑270. Washington, D.C.: March 4, 2019.

Chemical Assessments: Agencies Coordinate Activities, but Additional Action Could Enhance Efforts. GAO‑14‑763. Washington, D.C.: September 29, 2014.

Chemical Assessments: An Agencywide Strategy May Help EPA Address Unmet Needs for Integrated Risk Information System Assessments. GAO‑13‑369. Washington, D.C.: May 10, 2013.

Toxic Substances: EPA Has Increased Efforts to Assess and Control Chemicals but Could Strengthen Its Approach. GAO‑13‑249. Washington, D.C.: March 22, 2013.

Chemical Assessments: Challenges Remain with EPA’s Integrated Risk Information System Program. GAO‑12‑42. Washington, D.C.: December 9, 2011.

Chemical Assessments: Low Productivity and New Interagency Review Process Limit the Usefulness and Credibility of EPA’s Integrated Risk Information System.