This is the accessible text file for GAO report number GAO-15-371T entitled 'GAO's 2015 High-Risk Series: An Update' which was released on February 11, 2015. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Committee on Homeland Security and Governmental Affairs, U.S. Senate: For Release on Delivery: Expected at 10 a.m. ET: Wednesday, February 11, 2015: GAO's 2015 High-Risk Series: An Update: Statement of Gene L. Dodaro: Comptroller General of the United States: GAO-15-371T: GAO Highlights: Highlights of GAO-15-371T, a statement before the Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: The federal government is one of the world's largest and most complex entities; about $3.5 trillion in outlays in fiscal year 2014 funded a broad array of programs and operations. GAO maintains a program to focus attention on government operations that it identifies as high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement or the need for transformation to address economy, efficiency, or effectiveness challenges. Since 1990, more than one-third of the areas previously designated as high risk have been removed from the list because sufficient progress was made in addressing the problems identified. The five criteria for removal are: (1) leadership commitment, (2) agency capacity, (3) an action plan, (4) monitoring efforts, and (5) demonstrated progress. This biennial update describes the status of high-risk areas listed in 2013 and identifies new high-risk areas needing attention by Congress and the executive branch. Solutions to high-risk problems offer the potential to save billions of dollars, improve service to the public, and strengthen government performance and accountability. What GAO Found: Solid, steady progress has been made in the vast majority of the high- risk areas. Eighteen of the 30 areas on the 2013 list at least partially met all of the criteria for removal from the high risk list. Of those, 11 met at least one of the criteria for removal and partially met all others. Sufficient progress was made to narrow the scope of two high-risk issues—-Protecting Public Health through Enhanced Oversight of Medical Products and DOD Contract Management. Overall, progress has been possible through the concerted actions of Congress, leadership and staff in agencies, and the Office of Management and Budget. This year GAO is adding 2 areas, bringing the total to 32. * Managing Risks and Improving Veterans Affairs (VA) Health Care. GAO has reported since 2000 about VA facilities' failure to provide timely health care. In some cases, these delays or VA's failure to provide care at all have reportedly harmed veterans. Although VA has taken actions to address some GAO recommendations, more than 100 of GAO's recommendations have not been fully addressed, including recommendations related to the following areas: (1) ambiguous policies and inconsistent processes, (2) inadequate oversight and accountability, (3) information technology challenges, (4) inadequate training for VA staff, and (5) unclear resource needs and allocation priorities. The recently enacted Veterans Access, Choice, and Accountability Act included provisions to help VA address systemic weaknesses. VA must effectively implement the act. * Improving the Management of Information Technology (IT) Acquisitions and Operations. Congress has passed legislation and the administration has undertaken numerous initiatives to better manage IT investments. Nonetheless, federal IT investments too frequently fail to be completed or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. GAO has found that the federal government spent billions of dollars on failed and poorly performing IT investments which often suffered from ineffective management, such as project planning, requirements definition, and program oversight and governance. Over the past 5 years, GAO made more than 730 recommendations; however, only about 23 percent had been fully implemented as of January 2015. GAO is also expanding two areas due to evolving high-risk issues. * Enforcement of Tax Laws. This area is expanded to include IRS's efforts to address tax refund fraud due to identify theft. IRS estimates it paid out $5.8 billion (the exact number is uncertain) in fraudulent refunds in tax year 2013 due to identity theft. This occurs when a thief files a fraudulent return using a legitimate taxpayer's identifying information and claims a refund. * Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information (PII). This risk area is expanded because of the challenges to ensuring the privacy of personally identifiable information posed by advances in technology. These advances have allowed both government and private sector entities to collect and process extensive amounts of PII more effectively. The number of reported security incidents involving PII at federal agencies has increased dramatically in recent years. What GAO Recommends: This report contains GAO's views on progress made and what remains to be done to bring about lasting solutions for each high-risk area. Perseverance by the executive branch in implementing GAO's recommended solutions and continued oversight and action by Congress are essential to achieving greater progress. View [hyperlink, http://www.gao.gov/products/GAO-15-371T]. For more information, contact J. Christopher Mihm at (202) 512-6806 or mihmj@gao.gov. [End of section] GAO's 2015 High Risk List: Strengthening the Foundation for Efficiency and Effectiveness: * Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks. * Management of Federal Oil and Gas Resources. * Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance[A]. * Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability[A]. * Funding the Nation's Surface Transportation System[A]. * Strategic Human Capital Management. * Managing Federal Real Property. * Improving the Management of IT Acquisitions and Operations (new). Transforming DOD Program Management: * DOD Approach to Business Transformation. * DOD Business Systems Modernization. * DOD Support Infrastructure Management[A]. * DOD Financial Management. * DOD Supply Chain Management. * DOD Weapon Systems Acquisition. Ensuring Public Safety and Security: * Mitigating Gaps in Weather Satellite Data. * Strengthening Department of Homeland Security Management Functions. * Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland. * Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information[A]. * Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests[A]. * Improving Federal Oversight of Food Safety[A]. * Protecting Public Health through Enhanced Oversight of Medical Products. * Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals[A]. Managing Federal Contracting More Effectively: * DOD Contract Management. * DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management. * NASA Acquisition Management. Assessing the Efficiency and Effectiveness of Tax Law Administration: * Enforcement of Tax Laws[A]. Modernizing and Safeguarding Insurance and Benefit Programs: * Managing Risks and Improving VA Health Care (new). * Improving and Modernizing Federal Disability Programs. * Pension Benefit Guaranty Corporation Insurance Programs[A]. * Medicare Program[A]. * Medicaid Program[A]. * National Flood Insurance Program[A]. Source: GAO. GAO-15-371T. [A] Legislation is likely to be necessary to effectively address this high-risk area. [End of table] [End of section] Chairman Johnson, Ranking Member Carper, and Members of the Committee: Thank you for the opportunity to discuss our 2015 high-risk update. [Footnote 1] Since 1990, we have regularly reported on government operations that we have identified as high risk due to their greater vulnerability to fraud, waste, abuse, and mismanagement or the need for transformation to address economy, efficiency, or effectiveness challenges. Our high-risk program, supported by this Committee and the House Committee on Oversight and Government Reform, has brought much- needed focus to problems impeding effective government and costing billions of dollars each year. Since our last high-risk update in 2013, solid, steady progress has been made in the vast majority of areas that remain on the list. Since 1990, more than one-third of the areas previously designated as high risk have been removed from the High Risk List because sufficient progress was made in addressing the problems identified. Nonetheless, 11 issues have been on the High Risk List since the 1990s and 6 of these were on our original list of 14 areas in 1990. Congressional oversight and legislative action have been critical to the progress that has been made. Congress passed numerous laws targeting both specific problems and the high-risk areas overall. In addition, top administration officials have continued to show their commitment to ensuring that high-risk areas receive attention and oversight. The Office of Management and Budget (OMB) regularly convenes meetings with agency leaders and GAO to discuss progress updates on high-risk issues. This year, due to significant progress made, we narrowed the high-risk designation for two areas--Protecting Public Health Through Enhanced Oversight of Medical Products and DOD Contract Management. We also designated two new high-risk areas this year--Managing Risks and Improving VA Health Care and Improving the Management of IT Acquisitions and Operations. Lasting solutions to these and the other 30 high-risk areas offer the potential to save billions of dollars, dramatically improve service to the American public, and strengthen public confidence and trust in the performance and accountability of our national government. While there has been notable progress, much remains to be done to address the 32 high-risk issues that are currently on our High Risk List. Our high risk update report and website provide details for each of these issues, describing the nature of the risks, what actions have been taken to address them, and what remains to be done to make further progress.[Footnote 2] The details in our report, along with successful implementation by agencies and continued oversight by Congress, can form a solid foundation for progress to address risks and improve programs and operations. New High-Risk Areas for 2015: To determine which federal government programs and functions should be added to the High Risk List, we consider whether the program or function is of national significance or is key to government performance and accountability. Further, we consider qualitative factors, such as whether the risk: * involves public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens' rights, or: * could result in significant impaired service, program failure, injury or loss of life, or significantly reduced economy, efficiency, or effectiveness. In addition, we also review the exposure to loss in quantitative terms such as the value of major assets being impaired, revenue sources not being realized, or major agency assets being lost, stolen, damaged, or wasted. We also consider corrective measures planned or under way to resolve a material control weakness and the status and effectiveness of these actions. This year, we added two new areas, delineated below, to the High Risk List based on those criteria. Managing Risks and Improving VA Health Care: In response to serious and long-standing problems with veterans' access to care, which were highlighted in a series of congressional hearings in the spring and summer of 2014, Congress enacted the Veterans Access, Choice, and Accountability Act of 2014 (Pub. L. No. 113-146, 128 Stat. 1754), which provides $15 billion in new funding for Department of Veterans Affairs (VA) health care. Generally, this law requires VA to offer veterans the option to receive hospital care and medical services from a non-VA provider when a VA facility cannot provide an appointment within 30 days, or when veterans reside more than 40 miles from the nearest VA facility. Under the law, VA received $10 billion to cover the expected increase in utilization of non-VA providers to deliver health care services to veterans. The $10 billion is available until expended and is meant to supplement VA's current budgetary resources for medical care. Further, the law appropriated $5 billion to increase veterans' access to care by expanding VA's capacity to deliver care to veterans by hiring additional clinicians and improving the physical infrastructure of VA's facilities. It is therefore critical that VA ensures its resources are being used in a cost-effective manner to improve veterans' timely access to health care. We have categorized our concerns about VA's ability to ensure the timeliness, cost-effectiveness, quality, and safety of the health care the department provides into five broad areas: (1) ambiguous policies and inconsistent processes, (2) inadequate oversight and accountability, (3) information technology challenges, (4) inadequate training for VA staff, and (5) unclear resource needs and allocation priorities. We have made numerous recommendations that aim to address weaknesses in VA's management of its health care system--more than 100 of which have yet to be fully resolved. For example, to ensure that its facilities are carrying out processes at the local level more consistently--such as scheduling veterans' medical appointments and collecting data on veteran suicides--VA needs to clarify its existing policies. VA also needs to strengthen oversight and accountability across its facilities by conducting more systematic, independent assessments of processes that are carried out at the local level, including how VA facilities are resolving specialty care consults, processing claims for non-VA care, and establishing performance pay goals for their providers. We also have recommended that VA work with the Department of Defense (DOD) to address the administrative burdens created by the lack of interoperability between their two IT systems. A number of our recommendations aim to improve training for staff at VA facilities, to address issues such as how staff are cleaning, disinfecting, and sterilizing reusable medical equipment, and to more clearly align training on VA's new nurse staffing methodology with the needs of staff responsible for developing nurse staffing plans. Finally, we have recommended that VA improve its methods for identifying VA facilities' resource needs and for analyzing the cost- effectiveness of VA health care. The recently enacted Veterans Access, Choice, and Accountability Act included a number of provisions intended to help VA address systemic weaknesses. For example, the law requires VA to contract with an independent entity to (1) assess VA's capacity to meet the current and projected demographics and needs of veterans who use the VA health care system, (2) examine VA's clinical staffing levels and productivity, and (3) review VA's IT strategies and business processes, among other things. The new law also establishes a 15- member commission, to be appointed primarily by bipartisan congressional leadership, which will examine how best to organize the VA health care system, locate health care resources, and deliver health care to veterans. It is critical for VA leaders to act on the findings of this independent contractor and congressional commission, as well as on those of VA's Office of the Inspector General, GAO, and others, and to fully commit themselves to developing long-term solutions that mitigate risks to the timeliness, cost-effectiveness, quality, and safety of the VA health care system. It is also critical that Congress maintains its focus on oversight of VA health care. In the spring and summer of 2014, congressional committees held more than 20 hearings to address identified weaknesses in the VA health care system. Sustained congressional attention to these issues will help ensure that VA continues to make progress in improving the delivery of health care services to veterans. We plan to continue monitoring VA's efforts to improve the timeliness, cost-effectiveness, quality, and safety of veterans' health care. To this end, we have ongoing work focusing on topics such as veterans' access to primary care and mental health services; primary care productivity; nurse recruitment and retention; monitoring and oversight of VA spending on training programs for health care professionals; mechanisms VA uses to monitor quality of care; and VA and DOD investments in Centers of Excellence--which are intended to produce better health outcomes for veterans and service members. Improving the Management of IT Acquisitions and Operations: Although the executive branch has undertaken numerous initiatives to better manage the more than $80 billion that is annually invested in information technology (IT), federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. We have previously testified that the federal government has spent billions of dollars on failed IT investments. These and other failed IT projects often suffered from a lack of disciplined and effective management, such as project planning, requirements definition, and program oversight and governance. In many instances, agencies have not consistently applied best practices that are critical to successfully acquiring IT investments. We have identified nine critical factors underlying successful major acquisitions that support the objective of improving the management of large-scale IT acquisitions across the federal government: (1) program officials actively engaging with stakeholders; (2) program staff having the necessary knowledge and skills; (3) senior department and agency executives supporting the programs; (4) end users and stakeholders involved in the development of requirements; (5) end users participating in testing of system functionality prior to end user acceptance testing; (6) government and contractor staff being stable and consistent; (7) program staff prioritizing requirements; (8) program officials maintaining regular communication with the prime contractor; and (9) programs receiving sufficient funding.[Footnote 3] While there have been numerous executive branch initiatives aimed at addressing these issues, implementation has been inconsistent. Over the past 5 years, we have reported numerous times on shortcomings with IT acquisitions and operations and have made about 737 related recommendations, 361 of which were to the Office of Management and Budget (OMB) and agencies to improve the implementation of the recent initiatives and other government-wide, cross-cutting efforts. As of January 2015, about 23 percent of the 737 recommendations had been fully implemented. Given the federal government's continued experience with failed and troubled IT projects, coupled with the fact that OMB initiatives to help address such problems have not been fully implemented, the government will likely continue to produce disappointing results and will miss opportunities to improve IT management, reduce costs, and improve services to the public, unless needed actions are taken. Further, it will be more difficult for stakeholders, including Congress and the public, to monitor agencies' progress and hold them accountable for reducing duplication and achieving cost savings. Recognizing the severity of issues related to government-wide management of IT, in December 2014 the Federal Information Technology Acquisition Reform provisions were enacted as a part of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015. I want to acknowledge the leadership of this Committee and the House Committee on Oversight and Government Reform in leading efforts to enact this important legislation. To help address the management of IT investments, OMB and federal agencies should expeditiously implement the requirements of the December 2014 statutory provisions promoting IT acquisition reform.[Footnote 4] Doing so should (1) improve the transparency and management of IT acquisitions and operations across the government, and (2) strengthen the authority of chief information officers to provide needed direction and oversight. To help ensure that these improvements are achieved, congressional oversight of agencies' implementation efforts is essential. Beyond implementing the recently enacted law, OMB and agencies need to continue to implement our previous recommendations in order to improve their ability to effectively and efficiently invest in IT. Several of these are critical, such as: * conducting TechStat reviews for at-risk investments, * updating the public version of the IT Dashboard throughout the year, and: * developing comprehensive inventories of federal agencies' software licenses. To ensure accountability, OMB and agencies should also demonstrate measurable government-wide progress in the following key areas: * OMB and agencies should, within 4 years, implement at least 80 percent of our recommendations related to the management of IT acquisitions and operations. * Agencies should ensure that a minimum of 80 percent of the government's major acquisitions should deliver functionality every 12 months. * Agencies should achieve no less than 80 percent of the over $6 billion in planned PortfolioStat savings and 80 percent of the more than $5 billion in savings planned for data center consolidation. Expanding High-Risk Areas: In the 2 years since the last high-risk update, two areas have expanded in scope. Enforcement of Tax Laws has been expanded to include IRS's efforts to address tax refund fraud due to identity theft. Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure has been expanded to include the federal government's protection of personally identifiable information and is now called Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting Personally Identifiable Information (PII). Enforcement of Tax Laws: Since 1990, we have designated one or more aspects of Enforcement of Tax Laws as high risk. The focus of the Enforcement of Tax Laws high- risk area is on the estimated $385 billion net tax gap--the difference between taxes owed and taxes paid--and IRS's and Congress's efforts to address it. Given current and emerging risks, we are expanding the Enforcement of Tax Laws area to include IRS's efforts to address tax refund fraud due to identity theft (IDT), which occurs when an identity thief files a fraudulent tax return using a legitimate taxpayer's identifying information and claims a refund. While acknowledging that the numbers are uncertain, IRS estimated paying about $5.8 billion in fraudulent IDT refunds while preventing $24.2 billion during the 2013 tax filing season. While there are no simple solutions to combating IDT refund fraud, we have identified various options that could help, some of which would require legislative action. Because some of these options represent a significant change to the tax system that could likely burden taxpayers and impose significant costs to IRS for systems changes, it is important for IRS to assess the relative costs and benefits of the options. This assessment will help ensure an informed discussion among IRS and relevant stakeholders--including Congress--on the best option (or set of options) for preventing IDT refund fraud. Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: Since 1997, we have designated the security of our federal cyber assets as a high-risk area. In 2003, we expanded this high-risk area to include the protection of critical cyber infrastructure. The White House and federal agencies have taken steps toward improving the protection of our cyber assets. However, advances in technology which have dramatically enhanced the ability of both government and private sector entities to collect and process extensive amounts of Personally Identifiable Information (PII) pose challenges to ensuring the privacy of such information. The number of reported security incidents involving PII at federal agencies has increased dramatically in recent years. In addition, high-profile PII breaches at commercial entities have heightened concerns that personal privacy is not being adequately protected. Finally, both federal agencies and private companies collect detailed information about the activities of individuals-raising concerns about the potential for significant erosion of personal privacy. We have suggested, among other things, that Congress consider amending privacy laws to cover all PII collected, used, and maintained by the federal government and recommended that the federal agencies we reviewed take steps to protect personal privacy and improve their responses to breaches of PII. For these reasons, we added the protection of privacy to this high-risk area this year. Essential Elements for Addressing High-Risk Areas: Our experience with the high-risk series over the past 25 years has shown that five broad elements are essential to make progress. [Footnote 5] The five criteria for removal are as follows: * Leadership commitment. Demonstrated strong commitment and top leadership support. * Capacity. Agency has the capacity (i.e., people and resources) to resolve the risk(s). * Action plan. A corrective action plan exists that defines the root cause and solutions and that provides for substantially completing corrective measures, including steps necessary to implement solutions we recommended. * Monitoring. A program has been instituted to monitor and independently validate the effectiveness and sustainability of corrective measures. * Demonstrated progress. Ability to demonstrate progress in implementing corrective measures and in resolving the high-risk area. These five criteria form a road map for efforts to improve and ultimately address high-risk issues. Addressing some of the criteria leads to progress, while satisfying all of the criteria is central to removal from the list. Figure 1 shows the five criteria and examples of actions taken by agencies to address the criteria. Throughout my statement and in our high-risk update report, we have detailed many actions taken to address the high-risk areas aligned with the five criteria as well as additional steps that need to be addressed. Figure 1: Criteria for Removal from the High Risk List and Examples of Actions Leading to Progress: [Refer to PDF for image: illustration] Leadership Commitment: Top Leadership Support; High Risk Criteria Examples: * Establishing long-term priorities and goals; * Developing organizational changes and initiatives; * Providing continuing oversight and accountability; * Initiating or implementing legislation. Capacity: People and Resources; High Risk Criteria Examples: * Allocating or reallocating funds or staff; * Establishing work groups with specific responsibilities; * Establishing and maintaining procedures or systems. Action Plan: Root Causes & Corrective Measures; High Risk Criteria Examples: * Identifying and analyzing root causes of problems; * Identifying critical actions and outcomes to address root causes; * Developing milestones and metrics for implementing plan goals; * Ensuring there are processes for reporting progress; * Establishing goals and performance measures. Monitoring: Substantiate Effectiveness; * Holding frequent review meetings to assess status and performance; * Reporting to senior managers on program progress and potential risks; * Tracking progress against goals. Demonstrated Progress: Resolving the High Risk Area; * Taking actions to ensure progress (or improvements) are sustained; * Using data to show action on plan implementation; * Showing high-risk issues are being effectively managed and root cases are being addressed. Source: GAO analysis of agencies' actions to address high-risk issues and GAO criteria for removal from the High Risk List in GAO-01-159SP. GAO-15-371T. [End of figure] In each of our high-risk updates, for more than a decade, we have assessed progress to address the five criteria for removing the high- risk areas from the list. In this high-risk update, we are adding additional clarity and specificity to our assessments by rating each high-risk area's progress on the criteria, using the following definitions: * Met. Actions have been taken that meet the criterion. There are no significant actions that need to be taken to further address this criterion. * Partially met. Some, but not all, actions necessary to meet the criterion have been taken. * Not met. Few, if any, actions towards meeting the criterion have been taken. Figure 2 is a visual representation of varying degrees of progress in each of the five criteria for a high-risk area. Each point of the star represents one of the five criteria for removal from the High Risk List and each ring represents one of the three designations: not met, partially met, or met. Figure 2: High-Risk Progress Criteria Ratings: [Refer to PDF for image: illustration of star] Source: GAO. GAO-15-371T. [End of figure] The progress ratings used to address the high-risk criteria are an important part of our efforts to provide greater transparency and specificity to agency leaders as they seek to address high-risk areas. Beginning in the spring of 2014 leading up to this high-risk update, we met with agency leaders across government to discuss preliminary progress ratings. These meetings focused on actions taken and on additional actions that need to be taken to address the high-risk issues. Several agency leaders told us that the additional clarity provided by the progress rating helped them better target their improvement efforts. Continued Progress: Since our last high-risk update in 2013, there has been solid and steady progress on the vast majority of the 30 high-risk areas from our 2013 list. Progress has been possible through the concerted actions and efforts of Congress and the leadership and staff in agencies and OMB. As shown in table 1, 18 high-risk areas have met or partially met all criteria for removal from the list; 11 of these areas also fully met at least one criterion. Of the 11 areas that have been on the High Risk List since the 1990s, 7 have at least met or partially met all of the criteria for removal and 1 area--DOD Contract Management--is 1 of the 2 areas that has made enough progress to remove subcategories of the high-risk area. Overall, 28 high-risk areas were rated against the five criteria, totaling a possible 140 high-risk area criteria ratings. Of these, 122 (or 87 percent) were rated as met or partially met. On the other hand, 13 of the areas have not met any of the five criteria; 3 of those--DOD Business Systems Modernization, DOD Support Infrastructure Management, and DOD Financial Management--have been on the High Risk List since the 1990's. Table 1: High-Risk Areas Rated Against Five Criteria for Removal: High Risk Area: NASA Acquisition Management; Number of Criteria: Met: 3; Partially Met: 2; Not Met: 0. High Risk Area: Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland; Number of Criteria: Met: 2; Partially Met: 3; Not Met: 0. High Risk Area: Protecting Public Health through Enhanced Oversight of Medical Products; Number of Criteria: Met: 2; Partially Met: 3; Not Met: 0. High Risk Area: Strengthening Department of Homeland Security Management Functions; Number of Criteria: Met: 2; Partially Met: 3; Not Met: 0. High Risk Area: DOD Contract Management; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: DOD Supply Chain Management; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: DOD Weapon Systems Acquisition; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Management of Federal Oil and Gas Resources; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Medicare Program; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Mitigating Gaps in Weather Satellite Data; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information; Number of Criteria: Met: 1; Partially Met: 4; Not Met: 0. High Risk Area: DOD Support Infrastructure Management; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Ensuring the Effective Protection of Technologies Critical to U.S. National Security Interests; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Improving and Modernizing Federal Disability Programs; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Medicaid Program; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Modernizing the U.S. Financial Regulatory System and the Federal Role in Housing Finance; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: National Flood Insurance Program; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Restructuring the U.S. Postal Service to Achieve Sustainable Financial Viability; Number of Criteria: Met: 0; Partially Met: 5; Not Met: 0. High Risk Area: Enforcement of Tax Laws; Number of Criteria: Met: 1; Partially Met: 3; Not Met: 1. High Risk Area: Managing Federal Real Property; Number of Criteria: Met: 1; Partially Met: 3; Not Met: 1. High Risk Area: DOD Business Systems Modernization; Number of Criteria: Met: 0; Partially Met: 4; Not Met: 1. High Risk Area: Strategic Human Capital Management; Number of Criteria: Met: 0; Partially Met: 4; Not Met: 1. High Risk Area: Transforming EPA's Processes for Assessing and Controlling Toxic Chemicals; Number of Criteria: Met: 1; Partially Met: 2; Not Met: 2. High Risk Area: DOD Financial Management; Number of Criteria: Met: 0; Partially Met: 3; Not Met: 2. High Risk Area: Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks; Number of Criteria: Met: 0; Partially Met: 3; Not Met: 2. High Risk Area: Improving Federal Oversight of Food Safety; Number of Criteria: Met: 0; Partially Met: 3; Not Met: 2. High Risk Area: DOE's Contract Management for the National Nuclear Security Administration and Office of Environmental Management; Number of Criteria: Met: 1; Partially Met: 1; Not Met: 3. High Risk Area: DOD Approach to Business Transformation; Number of Criteria: Met: 0; Partially Met: 2; Not Met: 3. High Risk Area: Funding the Nation's Surface Transportation System; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. High Risk Area: Improving the Management of IT Acquisitions and Operations; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. High Risk Area: Managing Risks and Improving VA Health Care; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. High Risk Area: Pension Benefit Guaranty Corporation Insurance Programs; Number of Criteria: Met: N/A; Partially Met: N/A; Not Met: N/A. Legend: N/A = Not applicable. Source: GAO. GAO-15-371T. Note: Four high-risk areas that received a "not applicable" rating because (1) they are either new to our 2015 High-Risk List (Managing Risks and Improving VA Health Care and Improving the Management of IT Acquisitions and Operations) or (2) addressing the high risk area primarily involves congressional action and the high risk criteria and subsequent ratings were developed to reflect the status of agencies' actions and the additional steps they need to take (Funding the Nation's Surface Transportation System and Pension Benefit Guaranty Corporation Insurance Programs). [A] = issue has been on the high risk list since the 1990s. [End of table] Throughout the history of the high-risk program, Congress played an important role through its oversight and (where appropriate) through legislative action targeting both specific problems and the high-risk areas overall. Since our last high-risk report, several high-risk areas have received congressional oversight and legislation needed to make progress in addressing risks. Table 2 provides examples of congressional actions and of high-level administration initiatives-- discussed in more detail throughout our report--that have led to progress in addressing high-risk areas. Additional congressional actions and administrative initiatives are also included in the individual high-risk areas discussed in this report. Table 2: Selected Examples of Congressional Actions and Administration Initiatives Leading to Progress on High-Risk Areas: High-risk area: Mitigating Gaps in Weather Satellite Data; Selected example: In January 2013, Congress passed the Disaster Relief Appropriations Act, 2013, which contained $111 million in funding for satellite gap mitigation projects. According to National Oceanic and Atmospheric Administration officials, this amount was reduced by 5 percent due to budget cuts related to sequestration. High-risk area: Protecting Public Health through Enhanced Oversight of Medical Products; Selected example: Congress enacted the Drug Quality and Security Act in November 2013, which contains provisions that should help the Food and Drug Administration respond to challenges in two distinct areas that we reported on in July 2013: (1) the hazards posed by unsafe drugs from an increasingly complex pharmaceutical supply chain that includes "rogue" Internet pharmacies and (2) the public health threat posed by improperly compounded drugs. High-risk area: Pension Benefit Guaranty Corporation (PBGC) Insurance Programs; Selected example: In December 2014, Congress took action to address the growing crisis in the multiemployer pension system with passage of the Multiemployer Pension Reform Act of 2014 (MPRA), which enacted several reforms responsive to our 2013 report on PBGC's multiemployer program. MPRA provided severely underfunded plans, under certain conditions and with the approval of federal regulators, the option to reduce the retirement benefits of current retirees to avoid plan insolvency and expand PBGC's ability to intervene when plans are in financial distress. While these reforms are intended to improve the program's financial condition, the future insolvency of the multiemployer program remains likely. In addition, to help address PBGC's overall deficit, the Bipartisan Budget Act of 2013 increased premium rates for the single-employer program and MPRA increased premiums for the multiemployer program. High-risk area: Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information; Selected example: In December 2014, 5 cybersecurity-related bills were enacted into law. (1) The Federal Information Security Modernization Act of 2014 revised the Federal Information Security Management Act of 2002. Among other things, it gave DHS responsibilities to assist OMB in overseeing civilian agency information security policies and practices for information systems. In addition, it requires agencies to include automated tools in periodic testing of systems and expands requirements for reporting major incidents and data breach notifications. (2) The Cybersecurity Workforce Assessment Act requires DHS to assess its cybersecurity workforce and develop a comprehensive strategy to enhance the readiness, capacity, training, recruitment, and retention of its cybersecurity workforce. (3) The Homeland Security Cybersecurity Workforce Assessment Act requires DHS to identify cybersecurity positions and the specialty areas of critical need in the DHS cybersecurity workforce. (4) The National Cybersecurity Protection Act of 2014 codifies the role of DHS's National Cybersecurity and Communications Integration Center, a 24x7 cyber situational awareness, incident response and management center that is a national nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement. (5) The Cybersecurity Enhancement Act of 2014 authorizes the Department of Commerce, through the National Institute of Standards and Technology, to facilitate and support the development of voluntary standards to reduce cyber-risks to critical infrastructure. The law also requires the Office of Science and Technology Policy in the Executive Office of the President to facilitate agencies development of a federal cybersecurity research and development plan. High-risk area: DOD Approach to Business Transformation; Selected example: The Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015 converted the Deputy Chief Management Officer to the Under Secretary of Defense for Business Management and Information. The Under Secretary of Defense for Business Management and Information will assist the Deputy Secretary of Defense in his role as the Chief Management Officer (CMO). The Under Secretary of Defense for Business Management and Information will also serve as the Chief Information Officer and Performance Improvement Officer for the Department of Defense. These changes will take effect on February 1, 2017. High-risk area: DOD Financial Management; Selected example: The National Defense Authorization Act (NDAA) for Fiscal Year 2013 required the Financial Improvement and Audit Readiness (FIAR) Plan to state the actions taken to ensure validation of the audit readiness of the Department of Defense (DOD) Statement of Budgetary Resources no later than September 30, 2014. Although the November 2014, FIAR Plan Status Report acknowledges that DOD has not met that date, Congress' action to set a specific date for the goal of DOD audit readiness is important for holding DOD accountable for progress. Congress further strengthened accountability in the NDAA for Fiscal Year 2014 by requiring a full audit of DOD's fiscal year 2018 financial statements and for those results to be submitted to Congress no later than March 31, 2019. High-risk area: Strengthening Department of Homeland Security Management Functions; Selected example: The Department of Homeland Security (DHS) has established various initiatives collectively intended to improve its unity of effort by, among other things, improving the department's planning, programming, budgeting, and execution processes through strengthened departmental structures and increased capability. In addition, DHS has increased component-level acquisition capability by, among other things, initiating monthly Component Acquisition Executive staff forums to provide guidance and share best practices. DHS has also strengthened its enterprise architecture program (or blueprint) to guide and constrain information technology acquisitions, and obtained a clean opinion on its financial statements for two consecutive years, fiscal years 2013 and 2014. High-risk area: Improving and Modernizing Federal Disability Programs; Selected example: The Administration has set goals for hiring people with disabilities and launched a training course in July 2014 to help federal agencies hire, retain, and advance employees with disabilities. The Administration continues to track--and has made some progress increasing--employment for people with disabilities at federal agencies. Source: GAO. GAO-15-371T. [End of table] Narrowing High Risk Areas: Since our 2013 update, sufficient progress has been made to narrow the scope of the following two areas. Protecting Public Health through Enhanced Oversight of Medical Products: Figure: Protecting Public Health through Enhanced Oversight of Medical Products: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] Our work has identified the following high-risk issues related to the Food and Drug Administration's (FDA) efforts to oversee medical products: (1) oversight of medical device recalls, (2) implementation of the Safe Medical Devices Act of 1990, (3) the effects of globalization on medical product safety, and (4) shortages of medically necessary drugs. We added the oversight of medical products to our High Risk List in 2009. Since our 2013 high-risk update, FDA has made substantial progress addressing the first two areas; therefore, we have narrowed this area to remove these issues from our High Risk List. However, the second two issues, globalization and drug shortages, remain pressing concerns. FDA has greatly improved its oversight of medical device recalls by fully implementing all of the recommendations made in our 2011 report on this topic. Recalls provide an important tool to mitigate serious health consequences associated with defective or unsafe medical devices. We found that FDA had not routinely analyzed recall data to determine whether there are systemic problems underlying trends in device recalls. We made specific recommendations to the agency that it enhance its oversight of recalls. FDA is fully implementing our recommendations and has developed a detailed action plan to improve the recall process, analyzed 10 years of medical device recall trend data, and established explicit criteria and set thresholds for determining whether recalling firms have performed effective corrections or removals of defective products. These actions have addressed this high-risk issue. The Safe Medical Devices Act of 1990 requires FDA to determine the appropriate process for reviewing certain high-risk devices--either reclassifying certain high-risk medical device types to a lower-risk class or establishing a schedule for such devices to be reviewed through its most stringent premarket approval process. We found that FDA's progress was slow and that it had never established a timetable for its reclassification or re-review process. As a result, many high- risk devices--including device types that FDA has identified as implantable, life sustaining, or posing a significant risk to the health, safety, or welfare of a patient--still entered the market through FDA's less stringent premarket review process. We recommended that FDA expedite its implementation of the act. Since then, FDA has made good progress and began posting the status of its reviews on its website. FDA has developed an action plan with a goal of fully implementing the provisions of the act by the second quarter of calendar year 2015. While FDA has more work to do, it has made sufficient progress to address this high-risk issue. DOD Contract Management: Figure: DOD Contract Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] Based on our reviews of DOD's contract management activities over many years, we placed this area on our High Risk List in 1992. For the past decade, our work and that of others has identified challenges DOD faces within four segments of contract management: (1) the acquisition workforce, (2) contracting techniques and approaches, (3) service acquisitions, and (4) operational contract support. DOD has made sufficient progress in one of the four segments--its management and oversight of contracting techniques and approaches--to warrant its removal as a separate segment within the overall DOD contract management high-risk area. Significant challenges still remain in the other three segments. We made numerous recommendations to address the specific issues we identified. DOD leadership has generally taken actions to address our recommendations. For example, DOD promulgated regulations to better manage its use of time-and-materials contracts and undefinitized contract actions (which authorize contractors to begin work before reaching a final agreement on contract terms). In addition, OMB directed agencies to take action to reduce the use of noncompetitive and time-and-materials contracts. Similarly, Congress has enacted legislation to limit the length of noncompetitive contracts and require DOD to issue guidance to link award fees to acquisition outcomes. Over the past several years, DOD's top leadership has taken significant steps to plan and monitor progress in the management and oversight of contracting techniques and approaches. For example, through its Better Buying Power initiatives DOD leadership identified a number of actions to promote effective competition and to better utilize specific contracting techniques and approaches. In that regard, in 2010 DOD issued a policy containing new requirements for competed contracts that received only one offer--a situation OMB has noted deprives agencies of the ability to consider alternative solutions in a reasoned and structured manner and which DOD has termed "ineffective competition." These changes were codified in DOD's acquisition regulations in 2012. In May 2014, we concluded that DOD's regulations help decrease some of the risks of one offer awards, but also that DOD needed to take additional steps to continue to enhance competition, such as establishing guidance for when contracting officers should assess and document the reasons only one offer was received. DOD concurred with the two recommendations we made in our report and has since implemented one of them. DOD also has been using its Business Senior Integration Group (BSIG)-- an executive-level leadership forum--for providing oversight in the planning, execution, and implementation of these initiatives. In March 2014, the Director of the Office of Defense Procurement and Acquisition Policy presented an assessment of DOD competition trends that provided information on competition rates across DOD and for selected commands within each military department and proposed specific actions to improve competition. The BSIG forum provides a mechanism by which DOD can address ongoing and emerging weaknesses in contracting techniques and approaches and by which DOD can monitor the effectiveness of its efforts. Further, in June 2014, DOD issued its second annual assessment of the performance of the defense acquisition system. The assessment, included data on the system's competition rate and goals, assessments of the effect of contract type on cost and schedule control, and the impact of competition on the cost of major weapon systems. An institution as large, complex, and diverse as DOD, and one that obligates hundreds of billions of dollars under contracts each year, will continue to face challenges with its contracting techniques and approaches. We will maintain our focus on identifying these challenges and proposing solutions. However, at this point DOD's continued commitment and demonstrated progress in this area--including the establishment of a framework by which DOD can address ongoing and emerging issues associated with the appropriate use of contracting techniques and approaches--provide a sufficient basis to remove this segment from the DOD contract management high-risk area. Progress in Selected High-Risk Areas: In addition to the two areas that we narrowed--Protecting Public Health through Enhanced Oversight of Medical Products and DOD Contract Management--nine other areas met at least one of the criteria for removal from the High Risk List and were rated at least partially met for all four of the remaining criteria. These areas serve as examples of solid progress made to address high-risk issues through implementation of our recommendations and through targeted corrective actions. Further, each example underscores the importance of high- level attention given to high-risk areas within the context of our criteria by the administration and by congressional action. To sustain progress in these areas and to make progress in other high-risk areas-- including eventual removal from the High Risk List--focused leadership attention and ongoing oversight will be needed. NASA Acquisition Management: Figure: NASA Acquisition Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Met; Demonstrated Progress: Partially Met. Three Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] The National Aeronautics and Space Administration's (NASA) acquisition management was included on the original High Risk List in 1990. NASA's continued efforts to strengthen and integrate its acquisition management functions have resulted in the agency meeting three criteria for removal from our High Risk List--leadership commitment, a corrective action plan, and monitoring. For example, NASA has completed the implementation of its corrective action plan, which was managed by the Deputy Administrator, with the Chief Engineer, the Chief Financial Officer, and the agency's Associate Administrator having led implementation of the individual initiatives.[Footnote 6] The plan identified metrics to assess the progress of implementation, which NASA continues to track and report semi-annually. These metrics include cost and schedule performance indicators for NASA's major development projects. We have found that NASA's performance metrics generally reflect improved performance. For example, average cost and schedule growth for NASA's major projects has declined since 2011 and most of NASA's major projects are tracking metrics, which we recommended in 2011 to better assess design stability and decrease risk. In addition, NASA has taken action in response to our recommendations to improve the use of earned value management--a tool designed to help project managers monitor progress--such as by conducting a gap analysis to determine whether each center has the requisite skills to effectively utilize earned value management. These actions have helped NASA to create better baseline estimates and track performance so that NASA has been able to launch more projects on time and within cost estimates. However, we found that NASA needs to continue its efforts to increase agency capacity to address ongoing issues through additional guidance and training of personnel. Such efforts should help maximize improvements and demonstrate that the improved cost and schedule performance will be sustained, even for the agency's most expensive and complex projects. Recently, a few of NASA's major projects are rebaselining their cost, schedule, or both in light of management and technical issues, which is tempering the progress of the whole portfolio. In addition, several of NASA's largest and most complex projects, such as NASA's human spaceflight projects, are at critical points in implementation. We have reported on several challenges that may further impact NASA's ability to demonstrate progress in improving acquisition management [Footnote 7]. Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] The federal government has made significant progress in promoting the sharing of information on terrorist threats since we added this issue to the High Risk List in 2003. As a result, the federal government has met our criteria for leadership commitment and capacity and has partially met the remaining criteria for this high-risk area. Significant progress was made in this area by developing a more structured approach to achieving the Information Sharing Environment (Environment) and by defining the highest priority initiatives to accomplish. In December 2012, the President released the National Strategy for Information Sharing and Safeguarding (Strategy), which provides guidance on the implementation of policies, standards, and technologies that promote secure and responsible national security information sharing. In 2013, in response to the Strategy, the Program Manager for the Environment released the Strategic Implementation Plan for the National Strategy for Information Sharing and Safeguarding (Implementation Plan). The Implementation Plan provides a roadmap for the implementation of the priority objectives in the Strategy. The Implementation Plan also assigns stewards to coordinate each priority objective--in most cases, a senior department official--and provides time frames and milestones for achieving the outcomes in each objective. Adding to this progress is the work the Environment has done to address our previous recommendations. In our 2011 report on the Environment, we recommended that key departments better define incremental costs for information sharing activities and establish an enterprise architecture management plan. Since then, senior officials in each key department reported that any incremental costs related to implementing the Environment are now embedded within each department's mission activities and operations and do not require separate funding. Further, the 2013 Implementation Plan includes actions for developing aspects of an architecture for the Environment. In 2014, the program manager issued the Information Interoperability Framework, which begins to describe key elements intended to help link systems across departments to enable information sharing. Going forward, in addition to maintaining leadership commitment and capacity, the program manager and key departments will need to continue working to address remaining action items informed by our five high-risk criteria, thereby helping to reduce risks and enhance the sharing and management of terrorism-related information. Strengthening Department of Homeland Security Management Functions: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. Two Criterion have been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] The Department of Homeland Security (DHS) has continued efforts to strengthen and integrate its management functions since those issues were placed on the High Risk List in 2003. These efforts resulted in the department meeting two criteria for removal from the High Risk List (leadership commitment and a corrective action plan) and partially meeting the remaining three criteria (capacity, a framework to monitor progress, and demonstrated, sustained progress). DHS's top leadership, including the Secretary and Deputy Secretary of Homeland Security, have continued to demonstrate exemplary commitment and support for addressing the department's management challenges. For instance, the Department's Under Secretary for Management and other senior management officials have routinely met with us to discuss the department's plans and progress, which helps ensure a common understanding of the remaining work needed to address our high-risk designation. In April 2014, the Secretary of Homeland Security issued Strengthening Departmental Unity of Effort, a memorandum committing the agency to, among other things, improving DHS's planning, programming, budgeting, and execution processes through strengthened departmental structures and increased capability. In addition, DHS has continued to provide updates to the report Integrated Strategy for High Risk Management, demonstrating a continued focus on addressing its high-risk designation. The integrated strategy includes key management initiatives and related corrective action plans for achieving 30 actions and outcomes, which we identified and DHS agreed are critical to addressing the challenges within the department's management areas and to integrating those functions across the department. Further, DHS has demonstrated progress to fully address nine of these actions and outcomes, five of which it has sustained as fully implemented for at least 2 years. For example, DHS fully addressed two outcomes because it received a clean audit opinion on its financial statements for 2 consecutive fiscal years, 2013 and 2014. In addition, the department strengthened its enterprise architecture program (or technology blueprint) to guide IT acquisitions by, among other things, largely addressing our prior recommendations aimed at adding needed architectural depth and breadth. DHS needs to continue implementing its Integrated Strategy for High Risk Management and show measurable, sustainable progress in implementing its key management initiatives and corrective actions and achieving outcomes. In doing so, it will be important for DHS to identify and work to mitigate any resource gaps, and prioritize initiatives as needed to ensure it can implement and sustain its corrective actions, closely track and independently validate the effectiveness and sustainability of its corrective actions and make midcourse adjustments as needed; and make continued progress in achieving the 21 actions and outcomes it has not fully addressed, and demonstrate that systems, personnel, and policies are in place to ensure that progress can be sustained over time. DOD Supply Chain Management: Figure: DOD Supply Chain Management: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] DOD supply chain management is one of the six issues that has been on the High Risk List since 1990. DOD has made progress in addressing weaknesses in all three dimensions of its supply chain management areas: inventory management, materiel distribution, and asset visibility. With respect to inventory management, DOD has demonstrated considerable progress in implementing its statutorily mandated corrective action plan. This plan is intended to reduce excess inventory and improve inventory management practices. Additionally, DOD has established a performance management framework, including metrics and milestones, to track the implementation and effectiveness of its corrective action plan and has demonstrated considerable progress in reducing its excess inventory and improving its inventory management. For example, DOD reported that its percentage of on-order excess inventory dropped from 9.5 percent in fiscal year 2009 to 7.9 percent in fiscal year 2013. DOD calculates the percentage by dividing the amount of on-order excess inventory by the total amount of on- order inventory. In response to our 2012 recommendations on the implementation of the plan, DOD continues to re-examine its goals for reducing excess inventory, has revised its goal for reducing on-hand excess inventory (it achieved its original goal early), and is in the process of institutionalizing its inventory management metrics in policy. DOD has also made progress in addressing its materiel distribution challenges. Specifically, DOD has implemented, or is implementing, distribution-related initiatives that could serve as a basis for a corrective action plan. For example, DOD developed its Defense Logistics Agency Distribution Effectiveness Initiative, formerly called Strategic Network Optimization, to improve logistics efficiencies in DOD's distribution network and to reduce transportation costs. This initiative accomplishes these objectives by storing materiel at strategically located Defense Logistics Agency supply sites. Further, DOD has demonstrated significant progress in addressing its asset visibility weaknesses by taking steps to implement our February 2013 recommendation that DOD develop a strategy and execution plans that contain all the elements of a comprehensive strategic plan, including, among other elements, performance measures for gauging results. The National Defense Authorization Act for Fiscal Year 2014 required that DOD's strategy and implementation plans for asset visibility, which were in development, incorporate, among other things, the missing elements that we identified. DOD's January 2014 Strategy for Improving DOD Asset Visibility represents a corrective action plan and contains goals and objectives--as well as supporting execution plans--outlining specific objectives intended to improve asset visibility. DOD's Strategy calls for organizations to identify at least one outcome or key performance indicator for assessing performance in implementing the initiatives intended to improve asset visibility. DOD has also established a structure, including its Asset Visibility Working Group, for monitoring implementation of its asset visibility improvement initiatives. Moving forward, the removal of DOD supply chain management from GAO's High Risk List will require DOD to take several steps. For inventory management, DOD needs to demonstrate sustained progress by continuing to reduce its on-order and on-hand excess inventory, developing corrective actions to improve demand forecast accuracy, and implementing methodologies to set inventory levels for reparable items (i.e., items that can be repaired) with low or highly variable demand. For materiel distribution, DOD needs to develop a corrective action plan that includes reliable metrics for, among other things, identifying gaps and measuring distribution performance across the entire distribution pipeline. For asset visibility, DOD needs to (1) specify the linkage between the goals and objectives in its Strategy and the initiatives intended to implement it and (2) refine, as appropriate, its metrics to ensure they assess progress towards achievement of those goals and objectives. DOD Weapon Systems Acquisition: Figure: DOD Weapon Systems Acquisition: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] DOD weapon systems acquisition has also been on the High-Risk List since 1990. Congress and DOD have long sought to improve the acquisition of major weapon systems, yet many DOD programs are still falling short of cost, schedule, and performance expectations. The results are unanticipated cost overruns, reduced buying power, and in some cases delays or reductions in the capability ultimately delivered to the warfighter. Our past work and prior high-risk updates have identified multiple weaknesses in the way DOD acquires the weapon systems it delivers to the warfighter and we have made numerous recommendations on how to address these weaknesses. Recent actions taken by top leadership at DOD indicate a firm commitment to improving the acquisition of weapon systems as demonstrated by the release and implementation of the Under Secretary of Defense for Acquisition, Technology, and Logistics' "Better Buying Power" initiatives. These initiatives include measures such as setting and enforcing affordability constraints, instituting a long-term investment plan for portfolios of weapon systems, implementing "should cost" management to control contract costs, eliminating redundancies within portfolios, and emphasizing the need to adequately grow and train the acquisition workforce. DOD also has made progress in its efforts to assess the root causes of poor weapon system acquisition outcomes and in monitoring the effectiveness of its actions to improve its management of weapon systems acquisition. Through changes to acquisition policies and procedures, DOD has made demonstrable progress and, if these reforms are fully implemented, acquisition outcomes should improve. At this point, there is a need to build on existing reforms by tackling the incentives that drive the process and behaviors. In addition, further progress must be made in applying best practices to the acquisition process, attracting and empowering acquisition personnel, reinforcing desirable principles at the beginning of the program, and improving the budget process to allow better alignment of programs and their risks and needs. While DOD has made real progress on the issues we have identified in this area, with the prospect of slowly growing or flat defense budgets for years to come, the department must continue this progress and get better returns on its weapon system investments than it has in the past. DOD has made some progress in updating its policies to enable better weapon systems outcomes. However, even with this call for change we remain concerned about the full implementation of proposed reforms as DOD has, in the past, failed to convert policy into practice. In addition, although we reported in March 2014 on the progress many DOD programs are making in reducing their cost in the near term, individual weapon programs are still failing to conform to best practices for acquisition or to implement key acquisition reforms and initiatives that could prevent long-term cost and schedule growth. [Footnote 8] Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] We added this high-risk area in 1997 and expanded it this year to include protection of PII. Although significant challenges remain, the federal government has made progress toward improving the security of its cyber assets. For example, Congress, as part of its ongoing oversight, passed five bills, which became law, for improving the security of cyber assets. The first, The Federal Information Security Modernization Act of 2014,[Footnote 9] revises the Federal Information Security Management Act of 2002[Footnote 10] and clarifies roles and responsibilities for overseeing and implementing federal agencies' information security programs. The second law, the Cybersecurity Workforce Assessment Act,[Footnote 11] requires DHS to assess its cybersecurity workforce and develop a strategy for addressing workforce gaps. The third, the Homeland Security Cybersecurity Workforce Assessment Act,[Footnote 12] requires DHS to identify all of its cybersecurity positions and calls for the department to identify specialty areas of critical need in its cybersecurity workforce. The fourth, the National Cybersecurity Protection Act of 2014,[Footnote 13] codifies the role of DHS' National Cybersecurity and Communications Integration Center as the nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement. The fifth, the Cybersecurity Enhancement Act of 2014,[Footnote 14] authorizes the Department of Commerce, through the National Institute of Standards and Technology, to facilitate and support the development of voluntary standards to reduce cyber risks to critical infrastructure. The White House and senior leaders at DHS have also committed to securing critical cyber assets. Specifically, the President has signed legislation and issued strategy documents for improving aspects of cybersecurity, as well as an executive order and a policy directive for improving the security and resilience of critical cyber infrastructure. In addition, DHS and its senior leaders have committed time and resources to advancing cybersecurity efforts at federal agencies and to promoting critical infrastructure sectors' use of a cybersecurity framework. However, securing cyber assets remains a challenge for federal agencies. Continuing challenges, such as shortages in qualified cybersecurity personnel and effective monitoring of, and continued weaknesses in, agencies' information security programs need to be addressed. Until the White House and executive branch agencies implement the hundreds of recommendations that we and agency inspectors general have made to address cyber challenges, resolve identified deficiencies, and fully implement effective security programs and privacy practices, a broad array of federal assets and operations may remain at risk of fraud, misuse, and disruption, and the nation's most critical federal and private sector infrastructure systems will remain at increased risk of attack from adversaries. In addition to the recently passed laws addressing cybersecurity and the protection of critical infrastructures, Congress should also consider amending applicable laws, such as the Privacy Act and E-Government Act, to more fully protect PII collected, used, and maintained by the federal government. Management of Federal Oil and Gas Resources: Figure: Management of Federal Oil and Gas Resources: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] The Department of the Interior's (Interior) continued efforts to improve its management of federal oil and gas resources since we placed these issues on the High Risk List in 2011 have resulted in the department meeting one of the criteria for removal from our High Risk List--leadership commitment. Interior has implemented a number of strategies and corrective measures to help ensure the department collects its share of revenue from oil and gas produced on federal lands and waters. Additionally, Interior is developing a comprehensive approach to address its ongoing human capital challenges. In November 2014, Interior senior leaders briefed us on the department's commitment to address the high-risk issue area by describing the following corrective actions. * To help ensure Interior collects revenues from oil and gas produced on federal lands and waters, Interior has taken steps to strengthen its efforts to improve the measurement of oil and gas produced on federal leases by ensuring a link between what happens in the field (measurement and operations) and what is reported to Interior's Office of Natural Resources Revenue or ONRR (production volumes and dispositions). To ensure that federal oil and gas leases are inspected, Interior is hiring inspectors and engineers with an understanding of metering equipment and measurement accuracy. The department has several efforts under way to assure that oil and gas are accurately measured and reported. For example, ONRR contracted for a study to automate data collection from production metering systems. In 2012, the Bureau of Safety and Environmental Enforcement hired and provided measurement training to a new measurement inspection team. To better ensure a fair return to the federal government from leasing and production activities from federal offshore leases, Interior raised royalty rates, minimum bids, and rental rates. For onshore federal leases, according to Interior's November 2014 briefing document, ONRR's Economic Analysis Office will provide the Bureau of Land Management (BLM) monthly analyses of global and domestic market conditions as BLM initiates a rulemaking effort to provide greater flexibility in setting onshore royalty rates. * To address the department's ongoing human capital challenges, Interior is working with the Office of Personnel Management to establish permanent special pay rates for critical energy occupations in key regions, such as the Gulf of Mexico. Bureau managers are being trained on the use of recruitment, relocation, and retention incentives to improve hiring and retention. Bureaus are implementing or have implemented data systems to support the accurate capture of hiring data to address delays in the hiring process. Finally, Interior is developing strategic workforce plans to assess the critical skills and competencies needed to achieve current and future program goals. To address its revenue collection challenges, Interior will need to identify the staffing resources necessary to consistently meet its annual goals for oil and gas production verification inspections. Interior needs to continue meeting its time frames for updating regulations related to oil and gas measurement and onshore royalty rates. It will also need to provide reasonable assurance that oil and gas produced from federal leases is accurately measured and that the federal government is getting an appropriate share of oil and gas revenues. To address its human capital challenges, Interior needs to consider how it will address staffing shortfalls over time in view of continuing hiring and retention challenges. It will also need to implement its plans to hire additional staff with expertise in inspections and engineering. Interior needs to ensure that it collects and maintains complete and accurate data on hiring times--such as the time required to prepare a job description, announce the vacancy, create a list of qualified candidates, conduct interviews, and perform background and security checks--to effectively implement changes to expedite its hiring process. Medicare Improper Payments: Figure: Medicare Improper Payments: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-371T. [End of figure] The Centers for Medicare & Medicaid Services (CMS), in the Department of Health and Human Services (HHS), administers Medicare, which has been on the High Risk List since 1990.[Footnote 15] CMS has continued to focus on reducing improper payments in the Medicare program, which has resulted in the agency meeting our leadership commitment criterion for removal from the High Risk List and partially meeting our other four criteria. HHS has demonstrated top leadership support for addressing this risk area by continuing to designate "strengthened program integrity through improper payment reduction and fighting fraud" an HHS strategic priority and, through its dedicated Center for Program Integrity, CMS has taken multiple actions to improve in this area. For example, as we recommended in November 2012, CMS centralized the development and implementation of automated edits--prepayment controls used to deny Medicare claims that should not be paid--based on a type of national policy called national coverage determinations. Such action will ensure greater consistency in paying only those Medicare claims that are consistent with national policies. In addition, CMS has taken action to implement provisions of the Patient Protection and Affordable Care Act that Congress enacted to combat fraud, waste, and abuse in Medicare. For instance, in March 2014, CMS awarded a contract to a Federal Bureau of Investigation- approved contractor that will enable the agency to conduct fingerprint- based criminal history checks of high-risk providers and suppliers. This and other provider screening procedures will help block the enrollment of entities intent on committing fraud. CMS made positive strides, but more needs to be done to fully meet our criteria. For example, CMS has demonstrated leadership commitment by taking actions such as strengthening provider and supplier enrollment provisions, and improving its prepayment and postpayment claims review process in the fee-for-service (FFS) program.[Footnote 16] However, all parts of the Medicare program are on the Office of Management and Budget's list of high-error programs, suggesting additional actions are needed. By implementing our open recommendations, CMS may be able to reduce improper payments and make progress toward fulfilling the four outstanding criteria to remove Medicare improper payments from our High Risk List. The following summarizes open recommendations and procedures authorized by the Patient Protection and Affordable Care Act that CMS should implement to make progress toward fulfilling the four outstanding criteria to remove Medicare improper payments from our High Risk List. CMS should: * require a surety bond for certain types of at-risk providers and suppliers; * publish a proposed rule for increased disclosures of prior actions taken against providers and suppliers enrolling or revalidating enrollment in Medicare, such as whether the provider or supplier has been subject to a payment suspension from a federal health care program; * establish core elements of compliance programs for providers and suppliers; * improve automated edits that identify services billed in medically unlikely amounts; * develop performance measures for the Zone Program Integrity Contractors who explicitly link their work to the agency's Medicare FFS program integrity performance measures and improper payment reduction goals; * reduce differences between contractor postpayment review requirements, when possible; * monitor the database used to track Recovery Auditors' activities to ensure that all postpayment review contractors are submitting required data and that the data the database contains are accurate and complete; * require Medicare administrative contractors to share information about the underlying policies and savings related to their most effective edits; and: * efficiently and cost-effectively identify, design, develop, and implement an information technology solution that addresses the removal of Social Security numbers from Medicare beneficiaries' health insurance cards. Mitigating Gaps in Weather Satellite Data: Figure: Mitigating Gaps in Weather Satellite Data: [Refer to PDF for image: star illustration] Leadership Commitment: Met; Capacity: Partially Met; Action Plan: Partially Met; Monitoring: Partially Met; Demonstrated Progress: Partially Met. One Criterion has been met. Source: GAO analysis. 2015 High Risk List GAO-15-290. [End of figure] The National Oceanic and Atmospheric Administration (NOAA) has made progress toward improving its ability to mitigate gaps in weather satellite data since the issue was placed on the High Risk List in 2013. NOAA has demonstrated leadership on both its polar-orbiting and geostationary satellite programs by making decisions on how it plans to mitigate anticipated and potential gaps, and in making progress on multiple mitigation-related activities. In addition, the agency implemented our recommendations to improve its polar-orbiting and geostationary satellite gap contingency plans. Specifically, in September 2013, we recommended that NOAA establish a comprehensive contingency plan for potential polar satellite data gaps that was consistent with contingency planning best practices. In February 2014, NOAA issued an updated plan that addressed many, but not all, of the best practices. For example, the updated plan includes additional contingency alternatives; accounts for additional gap scenarios; identifies mitigation strategies to be executed; and identifies specific activities for implementing those strategies along with associated roles and responsibilities, triggers, and deadlines. In addition, in September 2013, we reported that while NOAA had established contingency plans for the loss of geostationary satellites, these plans did not address user concerns over potential reductions in capability and did not identify alternative solutions and timelines for preventing a delay in the Geostationary Operational Environmental Satellite-R (GOES-R) launch date. We recommended the agency revise its contingency plans to address these weaknesses. In February 2014, NOAA released a new satellite contingency plan that improved in many, but not all, of the best practices. For example, the updated plan clarified requirements for notifying users regarding outages and impacts and provided detailed information on responsibilities for each action in the plan. NOAA has demonstrated leadership commitment in addressing data gaps of its polar-orbiting and geostationary weather satellites by making decisions about how to mitigate potential gaps and by making progress in implementing multiple mitigation activities. However, capacity concerns--including computing resources needed for some polar satellite mitigation activities and the limited time available for integration and testing prior to the scheduled launch of the next geostationary satellite--continue to present challenges. In addition, while both programs have updated their satellite contingency plans, work remains to implement and oversee efforts to ensure that mitigation plans will be viable if and when they are needed. Sustaining Attention on High-Risk Programs: Overall, the government continues to take high-risk problems seriously and is making long-needed progress toward correcting them. Congress has acted to address several individual high-risk areas through hearings and legislation. Our high-risk update and high-risk website, [hyperlink, http://www.gao.gov/highrisk/], can help inform the oversight agenda for the 114th Congress and guide efforts of the administration and agencies to improve government performance and reduce waste and risks. In support of Congress and to further progress to address high-risk issues, we continue to review efforts and make recommendations to address high-risk areas. Continued perseverance in addressing high-risk areas will ultimately yield significant benefits. Thank you, Chairman Johnson, Ranking Member Carper, and Members of the Committee. This concludes my testimony. I would be pleased to answer any questions. For further information on this testimony, please contact J. Christopher Mihm at (202) 512-6806 or mihmj@gao.gov. Contact points for the individual high-risk areas are listed in the report and on our high-risk web site. Contact points for our Congressional Relations and Public Affairs offices may be found on the last page of this statement. [End of section] Footnotes: [1] GAO, High Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-15-290] (Washington, D.C.: Feb. 11, 2015). [2] GAO's high risk website, [hyperlink, http://www.gao.gov/highrisk/]. [3] GAO, Information Technology: Critical Factors Underlying Successful Major Acquisitions, [hyperlink, http://www.gao.gov/products/GAO-12-7] (Washington, D.C.: Oct. 21, 2011). [4] Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, § 831(a) (Dec. 19, 2014). [5] GAO, Determining Performance and Accountability Challenges and High Risks, [hyperlink, http://www.gao.gov/products/GAO-01-159SP] (Washington, D.C.: November 2000). [6] NASA's Associate Administrator oversees the agency's Office of Evaluation, which includes divisions responsible for cost analysis and independent program evaluation, respectively. [7] See James Webb Space Telescope: Project Facing Increased Schedule Risk with Significant Work Remaining. [hyperlink, http://www.gao.gov/products/GAO-15-100]. Washington, D.C.: December 15, 2014; NASA: Actions Needed to Improve Transparency and Assess Long- Term Affordability of Human Exploration Programs. [hyperlink, http://www.gao.gov/products/GAO-14-385]. Washington, D.C.: May 8, 2014; and NASA: Assessments of Selected Large-Scale Projects. [hyperlink, http://www.gao.gov/products/GAO-14-338SP]. Washington, D.C: April 15, 2014. [8] GAO, Defense Acquisitions: Assessments of Selected Weapon Programs, [hyperlink, http://www.gao.gov/products/GAO-14-340SP] (Washington, D.C.: Mar. 31, 2014). [9] Pub. L. No. 113-283 (Dec. 18, 2014). [10] Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002). [11] Pub. L. No. 113-246 (Dec. 18, 2014). [12] Sec. 4, Pub. L. No. 113-277 (Dec. 18, 2014). [13] Pub. L. No. 113-282 (Dec. 18, 2014). [14] Pub. L. No. 113-274 (Dec. 18, 2014). [15] The Medicare program has been on the High Risk List since 1990 but given the importance of sustained Medicare integrity to protecting federal dollars, we are focusing this high-risk rating and assessment on CMS's efforts to reduce Medicare improper payments. [16] Medicare consists of four parts. Parts A and B are known as Medicare FFS. Part A covers hospital and other inpatient stays and Part B covers hospital outpatient, physician, and other services. Part C, also known as Medicare Advantage, is the private plan alternative to Medicare FFS under which beneficiaries receive benefits through private health plans. Part D is the outpatient prescription drug benefit. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]