Image

Information Management

Recent Reports

Freedom of Information Act: Additional Guidance and Reliable Data Can Help Address Agency Backlogs

Published: Mar 07, 2024

Publicly Released: Mar 13, 2024

Science & Tech Spotlight: Combating Deepfakes

Published: Mar 11, 2024

Publicly Released: Mar 11, 2024

International Military Students: DOD and State Should Assess Vetting Implementation and Strengthen Information Sharing

Published: Feb 29, 2024

Publicly Released: Feb 29, 2024

Countering Violent Extremism: FBI and DHS Need Strategies and Goals for Sharing Threat Information with Social Media and Gaming Companies

Published: Jan 31, 2024

Publicly Released: Feb 28, 2024

401(k) Plans: Additional Federal Actions Would Help Participants Track and Consolidate Their Retirement Savings

Published: Jan 18, 2024

Publicly Released: Feb 20, 2024

Artificial Intelligence: GAO's Work to Leverage Technology and Ensure Responsible Use

Published: Jan 30, 2024

Publicly Released: Jan 29, 2024

View More Reports

Open Recommendations

Artificial Intelligence: DOD Needs Department-Wide Guidance to Inform Acquisitions

Show

4 Open Recommendations

Agency Affected	Recommendation	Status
Department of Defense	The Secretary of Defense should ensure that the Chief Digital and AI Officer, in conjunction with other DOD acquisition policy offices as appropriate, prioritize establishing department-wide AI acquisition guidance, including leveraging key private company factors, as appropriate. (Recommendation 1)	Open DOD agreed with this recommendation. To address it, the Chief Digital and AI Officer (CDAO) stated that it developed the DOD Data, Analytics, and AI Adoption Strategy, released in November 2023, which includes guidance for DOD components on adopting and scaling AI capabilities, with a decision aid framework appendix planned for March 2024. DOD is also planning to create a federated AI construct implementation plan and publish a DOD instruction to serve as department-wide AI acquisition guidance by September 2024.
Department of the Army	After DOD issues department-wide AI acquisition guidance, the Secretary of the Army should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 2)	Open The Army agreed with this recommendation. As of Fall 2023, it noted that it expects to update the AI and Autonomy Roadmap after CDAO publishes its AI strategy, but did not indicate a specific timeframe for doing so. The Army is also delivering a Unified Data Reference Architecture and Project Linchpin, the Army's operations-enabling program for AI/machine learning capabilities.
Department of the Navy	After DOD issues department-wide AI acquisition guidance, the Secretary of the Navy should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 3)	Open The Navy agreed with this recommendation. As of Fall 2023, it noted that it expects to update AI acquisition guidance issued by the Secretary of the Navy where applicable within 90 days after CDAO issues its AI strategy.
Department of the Air Force	After DOD issues department-wide AI acquisition guidance, the Secretary of the Air Force should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 4)	Open The Air Force agreed with this recommendation. As of Fall 2023, it noted that it expects to address this recommendation by January 2026 by establishing Air Force-specific AI acquisition guidance after CDAO issues its AI strategy.

Information Management: Agencies Need to Streamline Electronic Services

Show

12 Open Recommendations

Agency Affected	Recommendation	Status
Office of Management and Budget	The Director of the Office of Management and Budget should take steps to promote, through mechanisms such as the Federal Privacy Council and Chief Information Officers Council, sharing of information and lessons learned to help agencies implement the requirements of the CASES Act; this could include SEC sharing information on overcoming challenges and identifying lessons learned. (Recommendation 1)	Open As of March 2024, OMB has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Department of Defense	The Secretary of Defense should establish a reasonable time frame for when the Department of Defense will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 2)	Open As of March 2024, DOD has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Department of Health and Human Services	The Secretary of Health and Human Services should establish a reasonable time frame for when the Department of Health and Human Services will be able to digitally accept access and consent forms from individuals who were properly identity proofed and authenticated and post access and consent forms on the department's privacy program website. (Recommendation 3)	Open As of March 2024, HHS reported that it receives approximately 15,000 first-party request per year, 90% of which are received by the Centers for Medicare and Medicaid Services (CMS). In addition, the department noted that CMS added functionality to an existing electronic processing platform in September 2022 to allow users to choose between Login.gov and ID.me for digital proofing. The electronic processing platform is expected to permit CMS to accept remote identity proofing and authentication from individuals requesting access to their records. HHS also described its ongoing efforts towards being fully compliant with the CASES ACT and the Office of Management and Budget implementation guidance (M-21-04), but the department has not yet established a time frame for completion.
Department of the Interior	The Secretary of Interior should establish a reasonable time frame for when the Department of the Interior will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 4)	Open As of March 2024, DOI has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
Department of Justice	The Attorney General should establish a reasonable time frame for when the Department of Justice will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 5)	Open As of March 2024, Justice noted that any solution to implement remote identity proofing with authentication consistent with the CASES ACT and the Office of Management and Budget implementation guidance (M-21-04) must meet NIST's technical standard known as "Identity Assurance Level 2" (IAL2). In addition, the Department stated that they had been exploring acquiring the remote identity proofing services known as Login.gov offered by the General Services Administration (GSA), as a means of complying with the requirements of the CASES Act and M-21-04. Further, Justice stated the concerns identified in the GSA Inspector General report have contributed to challenges that the Department has faced in finding a solution to facilitate CASES Act compliance.
Department of Transportation	The Secretary of Transportation should establish a reasonable time frame for when the Department of Transportation will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 6)	Open As of March 2024, DOT has not yet provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.

COVID-19: Pandemic Lessons Highlight Need for Public Health Situational Awareness Network

Show

12 Open Recommendations

1 Priority

Agency Affected	Recommendation	Status
Department of Health and Human Services	The Secretary of HHS should prioritize the development of the public health situational awareness and biosurveillance network by designating a lead operational division for PAHPAIA implementation. (Recommendation 1)	Open In February 2023, HHS stated that ASPR and CDC are co-leads for the implementation of the public health situational awareness network capability given their respective missions and operational responsibilities. They further stated that ASPR and CDC have coordinated and served as co-leads responding to a range of public health emergencies and as such, there is not a single document that prescribes their roles as co-leads for the implementation of the public health situational awareness network. For example, as part of the initial steps to establish an electronic public health situational awareness network capability, the HHS Deputy Secretary signed a decision memo on March 18, 2022 to transition the HHS Protect data system and program stewardship to CDC. Further, HHS added that in March 2022, the HHS Deputy Secretary approved a new governance structure to ensure strategic oversight, active management, and upkeep of HHS Protect as a data management system that will provide a common operating structure for future public health emergencies. However, as of April 2023, the department did not designate a lead operational division for PAHPAIA implementation, which goes beyond the capabilities of HHS Protect. The PAHPAIA requirements include developing a plan to ensure that systems of public health communications and surveillance allow for the timely and secure dissemination of essential information concerning bioterrorism or other public health emergencies. The requirements also include HHS conducting a review of the data and information transmitted by the network and a discussion of any additional data sources and challenges in the incorporation of standardized data from various sources. As of February 2024, HHS stated that it is working to provide an additional update to GAO. We will continue to monitor the actions HHS takes to implement this recommendation.
Department of Health and Human Services	The Secretary of HHS should clearly define the roles and responsibilities for the lead operational division responsible for PAHPAIA implementation. The roles and responsibilities should include the specific activities required in PAHPAIA. (Recommendation 2)	Open In February 2023, HHS stated that ASPR and CDC are co-leads for the implementation of the public health situational awareness network given their respective missions and operational responsibilities. Additionally, HHS stated that HHS Protect is currently serving as the common operating picture for public health emergencies to meet the goals of a public health situational awareness network, required by PAHPAIA. HHS added that in March 2022, its Deputy Secretary also approved a new governance structure to ensure strategic oversight, active management, and upkeep of HHS Protect as a data management system that will provide a common operating picture for future public health emergencies. However, as of April 2023, the department did not provide clearly defined roles and responsibilities for PAHPAIA implementation. As of February 2024, HHS stated that it is working to provide an additional update to GAO. We will continue to monitor any additional actions HHS takes to implement this recommendation.
Department of Health and Human Services	The Secretary of HHS should identify the office responsible for overseeing the completion of the activities performed by the lead operational division and clearly define its roles and responsibilities. (Recommendation 3)	Open In February 2023, HHS stated that the new governance structure also established an executive board to provide oversight on the overall strategy and activities of HHS Protect. However, as of April 2023, the department had not provided evidence that it had clearly defined the roles and responsibilities of the executive board in overseeing the completion of the activities performed for PAHPAIA implementation. As of February 2024, HHS stated that it is working to provide an additional update to GAO. We will continue to monitor any additional actions HHS takes to implement this recommendation.
Department of Health and Human Services	The Secretary of HHS should ensure that the lead operational division, in developing the PAHPAIA work plan, includes the steps to be taken to address all of the required actions in PAHPAIA. (Recommendation 4)	Open In April 2023, HHS noted that additional actions to address the requirements in PAHPAIA related to an electronic public health situational awareness network capability beyond fiscal year 2023 will require additional funding resources. According to the department, the long-term vision is to build on the successes of HHS Protect and fully establish an all-hazards near real-time, electronic, nationwide public health common operating picture for 24/7 situational awareness data for use during and in between emergency responses by HHS; other government agencies; and state, local, territorial, and tribal partners. As of February 2024, HHS stated that it will continue to provide information to GAO in future updates. We will continue to monitor the actions HHS takes to implement this recommendation.
Department of Health and Human Services	Priority Rec. The Secretary of HHS should ensure that the lead operational division, in developing the PAHPAIA work plan, includes specific near-term and longterm actions that can be completed to show progress in developing the network. (Recommendation 5)	Open In April 2023, HHS stated that longer-term actions that can be completed beyond fiscal year 2023 will require the establishment of dedicated funding resources. HHS also stated that it had completed specific near-term actions to establish an electronic public health situational awareness network capability by transitioning the HHS Protect data system and program stewardship to CDC and approving a new governance structure. In March 2024, HHS stated that the FY 2024 CDC Congressional Justification request will support the Response Ready Enterprise Data Platform (formerly HHS Protect) to serve as the common operating picture and central hub to collect, integrate, and share public health data in near-real time across federal agencies and with state, local, territorial, and tribal partners. HHS also stated that it will continue to provide information to GAO in future updates. We will continue to monitor any additional actions HHS takes to implement this recommendation. To fully implement this recommendation, HHS should ensure that it develops a plan for specific long-term actions in addition to near-term actions to show progress in the PAHPAIA network's development. For example, the plan should include PAHPAIA requirements regarding HHS' efforts to conduct a review of the data and information transmitted by the network and a discussion of any additional data sources and challenges in the incorporation of standardized data from various sources. Until HHS fully implements this recommendation, it may not be able to show that it is making significant progress in developing the network.
Department of Health and Human Services	The Secretary of HHS should ensure that the lead operational division, in developing the PAHPAIA work plan, includes time frames for implementing the near-term and long-term actions. (Recommendation 6)	Open In April 2023, HHS stated that longer-term actions that can be completed beyond fiscal year 2023 will require the establishment of dedicated funding resources. As of February 2024, HHS stated that it will continue to provide information to GAO in future updates. We will continue to monitor any additional actions HHS takes to implement this recommendation.

Electronic Health Records: Additional DOD Actions Could Improve Cost and Schedule Estimating for New System

Show

1 Open Recommendations

Agency Affected	Recommendation	Status
Department of Defense	The Secretary of Defense should direct the Program Executive Officer of Defense Health Management Systems to ensure that the program office develops a reliable cost estimate using best practices described in GAO's Cost Estimating and Assessment Guide, in particular, by addressing those cost practices that were partially or minimally met. (Recommendation 1)	Open In its comments on our draft report, DOD agreed with our recommendation and outlined steps it would take in response. In July 2023, DOD reported that the program will start transitioning to new cost estimating software in September 2023. As a result of this transition, DOD stated that they will not have a new cost estimate that adheres to the best practices described in our Cost Estimating and Assessment Guide until September 2024. We will continue to be in contact with DOD to gain additional information on the actions they are taking and their progress toward completion.

View More Recommendations

GAO Contacts

Carol C. Harris

Director

harriscc@gao.gov

Nick Marinos

Managing Director

MarinosN@gao.gov

Taka Ariga

Chief Data Scientist and Director of the Innovation Lab

Jennifer Franks

Director

franksj@gao.gov

David (Dave) Hinchman

Director

HinchmanD@gao.gov

Jared B. Smith

Chief Statistician and Director of the Center for Statistics and Data Analysis

smithjb@gao.gov