Skip to main content

Information Security

Jump To:

Recent Reports

View More Reports

Open Recommendations

Department of Government Efficiency: Treasury Needs to Fully Implement Data Protection Controls
GAO-26-108131
Apr 28, 2026
Show
6 Open Recommendations
Agency Affected Recommendation Status
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to update BFS policy to define the minimum screening requirements for obtaining broad access to Treasury payment system data. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to update BFS policy to require employees to take IT security and privacy training before obtaining broad access to Treasury payment systems. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to establish and implement a process for verifying that employees sign BFS IT security rules of behavior prior to receiving broad access to payment systems. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to establish and implement a process for verifying that broad access granted to payment systems is consistent with the level approved by the authorizing official. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to establish and implement processes for conducting exit interviews and obtaining signatures on post-employment documentation in cases where these cannot occur before individuals with access to payment systems leave the agency. In doing so, the Commissioner should expeditiously implement this process for the anonymized former employee discussed in this report (employee B). (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Bureau of the Fiscal Service The Secretary of the Treasury should direct the Commissioner of the Fiscal Service to either (1) configure BFS's data loss prevention tool to identify and block emails containing unencrypted payment information sent outside the agency, or (2) update BFS's process for reviewing emails with unencrypted payment information to include messages sent to other federal agencies and implement the updated process. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Artificial Intelligence: OMB Action Needed to Address Privacy-Related Gaps in Federal Guidance
GAO-26-107681
Mar 26, 2026
Show
2 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should specify examples of known privacy-related risks that agencies should consider when updating their policies as they pertain to AI. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should facilitate additional information sharing or issue government-wide guidance related to:

  • how agencies should consider privacy when evaluating and auditing AI models that contain sensitive information;
  • storing data in a manner where sensitive data can be separated from the dataset;
  • clear rules, norms, and best practices with respect to privacy that agencies should use when developing AI solutions internally;
  • performance metrics agencies can use to assess privacy-related impacts when using AI;
  • actions agencies can take to ensure that members of the public who interact with their AI technologies understand what they are consenting to;
  • technological tools agencies can use to protect sensitive data when using AI;
  • incorporating AI-specific considerations into privacy impact assessments, including identifying risks and informing the public about how PII is involved in the use of AI; and
  • potential tradeoffs between privacy and performance agencies can consider when using AI. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation
GAO-26-107955
Mar 12, 2026
Show
1 Open Recommendations
Agency Affected Recommendation Status
Department of Defense The Secretary of Defense should ensure the DOD Chief Information Officer assesses and documents key external factors that could significantly affect the implementation of the CMMC program and develops approaches it will take to address those factors. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Weapon System Sustainment: DOD Can Improve Planning and Management of Data Rights [Reissued with revisions on Sep. 29, 2025]
GAO-25-107468
Sep 29, 2025
Show
4 Open Recommendations
Agency Affected Recommendation Status
Congress Congress should consider clarifying how DOD and contractors should treat detailed manufacturing or process data that is necessary for OMIT purposes. (Matter for Consideration 1)
Open
We reviewed recent legislation and did not identify any congressional actions as of February 2026.
Department of Defense The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) should ensure the Director of the IP Cadre updates the IP guidebook or produces guidance to address the courses of action available to programs in sustainment to obtain IP and data rights. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense OUSD A&S should ensure the Director of the IP Cadre formally assesses available tools to assist programs with the review of data deliverables, in coordination with officials responsible for the tools' development. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense OUSD A&S should ensure the Director of the IP Cadre establishes a process to collect and distribute IP and data rights lessons learned from programs in sustainment. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
View More Recommendations

Related Pages

GAO Contacts

Multimedia

Podcasts

DOD's Back Office IT--We Looked At Costs and Cybersecurity Risks
Transcript
The Growing Need for Cyber Diplomacy
Transcript
How Does DOD Protect Itself and Contractors from Cyberthreats?
Transcript