GAO

GAO-20-626T, Drug Safety: COVID-19 Complicates Already Challenged FDA Foreign Inspection Program, June 02, 2020

In December 2019, GAO found that a growing number of foreign drug manufacturing inspections conducted by the Food and Drug Administration (FDA) were in China and India (43 percent in 2018), where most establishments that manufacture drugs for the United States were located. In fiscal year 2015, FDA, for the first time, conducted more foreign inspections than domestic inspections. However, from fiscal year 2016 through 2018, both foreign and domestic inspections decreased—by about 10 percent and 13 percent, respectively. FDA officials attributed the decline, in part, to vacancies among investigators available to conduct inspections. In March 2020, FDA announced that, due to Coronavirus Disease 2019 (COVID-19), it was postponing almost all inspections of foreign manufacturing establishments. While FDA has indicated it has other tools to ensure the safety of the U.S. drug supply, the lack of foreign inspections removes a critical source of information about the quality of drugs manufactured for the U.S. market. The 10 Countries with the Most Foreign Drug Establishments Shipping to the United States as of March 2019, by Country GAO also found that FDA had vacancies among each of the groups of investigators who conduct foreign inspections. FDA had 190 investigators in the United States who conduct the majority of foreign inspections, but an additional 58 positions were vacant. At the time of GAO's December 2019 testimony, FDA was in the process filling 26 of these vacancies, with 32 remaining. However, according to FDA officials, it could be 2 to 3 years before new staff are experienced enough to conduct foreign inspections. FDA also faced persistent vacancies among investigators in its foreign offices. GAO further found in December 2019 that FDA investigators identified persistent challenges conducting foreign inspections, raising questions about the equivalence of foreign to domestic inspections. Specifically, GAO found: While FDA inspections performed in the United States were almost always unannounced, FDA's practice of preannouncing foreign inspections up to 12 weeks in advance may have given manufacturers the opportunity to fix problems ahead of the inspection. Investigators from FDA's China and India offices had conducted some unannounced inspections, but these staff do not perform most of the inspections in these countries (27 percent and 10 percent, respectively). FDA Estimates of the Amount of Notice Provided to Foreign Drug Establishments Prior to Inspection, Fiscal Year 2018 Type of investigator Amount of notice provided Percentage of inspections involving this investigator type China office investigator 0-5 days Involved in 27 percent of total number of inspections in China India office investigator 0-5 days. Involved in 10 percent of total number of inspections in India U.S.-based investigator Generally 12 weeks Involved in: 73 percent of total number of inspections in China 90 percent of total number of inspections in India 100 percent of total number of inspections in other foreign countries Source: Interviews with Food and Drug Administration (FDA) officials and GAO analysis of FDA data. | GAO-20-626T FDA was not generally providing translators on foreign inspections. Rather, FDA continued to rely on translators provided by the foreign establishments being inspected, which investigators said raised questions about the accuracy of information FDA investigators collected. For example, one investigator said there was more risk of conflict of interest if the establishment used its own employees to translate. In addition, the establishment representative providing the translation may be someone who does not have the technical language needed, which can make it harder to communicate with establishment staff and facilitate the inspection. The overseas travel schedule can present challenges for FDA's domestically based investigators, who conduct the majority of foreign inspections. Domestically based investigators told us there is little flexibility for them to extend foreign inspections during an overseas trip. The inspections they conduct on an overseas trip are scheduled back-to-back in 3-week trips and may involve three different countries. Therefore, extending one inspection would limit the amount of time the investigator has to complete their other scheduled inspections. FDA officials said that inspections conducted by investigators based in China or India (and domestic inspections in the United States) are generally scheduled one at a time and can thus more easily be extended if the investigator needs additional time to pursue potential deficiencies. However, these in-country investigators are not involved in the majority of FDA inspections conducted in China or India. The outbreak of COVID-19 has called greater attention to the United States' reliance on foreign drug manufacturers and further highlighted the importance of ensuring a safe pharmaceutical supply chain. Much of the manufacturing of drugs for treating COVID-19 occurs overseas, which is also true of the majority of other drugs marketed in the United States. While the volume of drugs manufactured overseas for the U.S. market is not fully known, FDA reports that about 70 percent of establishments manufacturing active ingredients and more than 50 percent of establishments manufacturing finished drugs for the U.S. market were located overseas, as of August 2019. FDA is responsible for overseeing the safety and effectiveness of all drugs marketed in the United States, regardless of where they are produced, and conducts inspections of both foreign and domestic drug manufacturing establishments. GAO has had long-standing concerns about FDA's ability to oversee the increasingly global pharmaceutical supply chain, an issue highlighted in GAO's High Risk Series since 2009. In particular: GAO recommended in 2008 (GAO-08-970) that FDA increase the number of inspections of foreign drug establishments. GAO found in 2010 (GAO-10-961) that FDA continued to conduct relatively few foreign inspections than domestic inspections. GAO found in 2016 (GAO-17-143) that FDA was conducting more of these foreign drug inspections, and GAO closed its 2008 recommendation to conduct more foreign inspections. However, GAO also reported that FDA may have never inspected many foreign establishments manufacturing drugs for the U.S. market. In addition, in the summer of 2018, FDA began announcing recalls of blood pressure medications manufactured overseas that were tainted with a potential carcinogen, raising further questions about FDA’s oversight of foreign-manufactured drugs. This statement is largely based on GAO’s December 2019 testimony (GAO-20-262T) and discusses 1. the number of foreign inspections FDA has conducted, 2. inspection staffing levels, and 3. challenges unique to foreign inspections. For that testimony, GAO examined FDA data from fiscal years 2012 through 2018 and interviewed investigators from FDA’s 2019 cadre of investigators (who are based in the United States but exclusively conduct foreign drug inspections) and from FDA’s foreign offices in China and India. For more information, contact Mary Denigan-Macauley at (202) 512-7114 or deniganmacauleym@gao.gov.

Categories -

GAO-20-407, Medicaid: State Views on Program Administration Challenges, April 30, 2020

In interviews with GAO, a majority of Medicaid officials from the 50 states and the District of Columbia (hereafter, states) identified federal Medicaid policies—including laws, regulations, and procedures—in four program areas that posed a significant or moderate challenge to effective program administration. Of note: Coverage exclusions and care coordination. Officials from 47 states identified challenges with a policy that generally excludes Medicaid coverage for residents of institutions for mental diseases. State officials cited this coverage exclusion as a barrier to their ability to use Medicaid funds to provide a full continuum of care to beneficiaries with complex health care needs, including mental health or substance use treatment needs. Covered benefits and eligibility. Officials from 39 states identified challenges related to the requirement for coverage of outpatient prescription drugs, noting that newer drugs are often higher cost and may not yet have an established clinical benefit. Medicare and Medicaid alignment. Officials from 42 states identified challenges related to integrating care for beneficiaries eligible for both Medicare and Medicaid, due in part to differences between the programs. Payment methods. Officials from 27 states identified challenges with the requirement to pay federally qualified health centers and rural health clinics based on historic costs, citing higher payments than for other providers. State officials also reported challenges with the processes for obtaining federal approval to waive certain statutory Medicaid requirements, citing lengthy delays and insufficient guidance. Finally, state officials identified challenges with some federal reporting requirements, including concerns about whether certain reported data are useful for program oversight. The Centers for Medicare & Medicaid Services (CMS) recognizes many of the challenges identified by state officials and has taken steps to address some of them. Based on its prior work and the perspectives of others, GAO identified broader considerations for any potential federal actions to address these challenges, including tradeoffs and considerations related to the following: Targeting oversight to critical areas. GAO, state officials, and others noted the importance of targeting federal oversight to ensure beneficiary access and quality of care. In addition, GAO's prior work identified the need to target oversight to reduce improper payments and manage other program risks. Leveraging Medicaid data. Accurate and complete data on key measures—such as beneficiary access, service use, and related costs—are critical for informing any potential change to Medicaid policies. Balancing federal oversight with state flexibility. Balancing states' ongoing efforts to waive statutory requirements with an appropriate level of oversight is another consideration. GAO's prior work has identified multiple instances where improved oversight of such efforts was warranted. Medicaid—a joint federal-state health care financing program—is administered at the state level and overseen at the federal level by CMS. Since 2003, GAO has designated Medicaid as a high-risk program due to concerns related to adequacy of fiscal oversight, among other concerns. The Medicaid program has evolved considerably in areas such as eligibility, service delivery, and payment methods. Given these and other changes to Medicaid over time, stakeholders have questions about the impact of the range and complexity of federal Medicaid policies on states' ability to efficiently administer their programs. GAO was asked to assess a range of federal Medicaid policies. This report describes (1) states' perspectives on any challenges related to federal Medicaid policies, including laws, regulations, and procedures; and (2) considerations for any related federal action to address the identified challenges. GAO interviewed Medicaid officials from 50 states and the District of Columbia to obtain information on challenges related to Medicaid program areas, Medicaid waiver processes, and Medicaid reporting requirements. GAO also obtained input from CMS officials on state-identified challenges, reviewed CMS documents and prior GAO work, and reviewed publications from organizations representing Medicaid providers and beneficiaries. The Department of Health and Human Services provided technical comments on a draft of this report, which GAO incorporated as appropriate. For more information, contact Carolyn L. Yocom at (202) 512-7114 or yocomc@gao.gov.

Categories -

GAO-20-402, Internet Protocol Version 6: DOD Needs to Improve Transition Planning, June 01, 2020

The Department of Defense's (DOD) current initiative to transition to Internet Protocol version 6 (IPv6), which began in April 2017, follows at least two prior attempts to implement IPv6 that were halted by DOD. In one effort that began in approximately 2003, DOD initially did make progress implementing IPv6 on its systems, but then the department ended the effort due to security risks and a lack of personnel trained in IPv6. DOD initiated another attempt in response to 2010 OMB guidance. However, this initiative was terminated shortly thereafter, again due to security concerns. For its current initiative, DOD has not completed three of four longstanding OMB requirements (see table). Without an inventory, a cost estimate, or a risk analysis, DOD's plans have a high degree of uncertainty about the magnitude of work involved, the level of resources required, and the extent and nature of threats, including cybersecurity risks. Status of the Department of Defense's (DOD) Efforts to Complete Selected Office of Management and Budget (OMB) Internet Protocol version 6 (IPv6) Transition Planning Requirements, as of March 2020 OMB requirement Completed? Assign an official to lead and coordinate agency planning Yes Complete an inventory of existing IP compliant devices and technologies No Develop a cost estimate No Develop a risk analysis No Source: GAO analysis of DOD documentation. | GAO-20-402 In February 2019, DOD released its own IPv6 planning and implementation guidance that listed 35 required transition activities, 18 of which were due to be completed before March 2020. DOD completed six of the 18 activities as of March 2020. DOD officials acknowledged that the department's transition time frames were optimistic; they added that they had thought that the activities' deadlines were reasonable until they started performing the work. Without an inventory, a cost estimate, or a risk analysis, DOD significantly reduced the probability that it could have developed a realistic transition schedule. Addressing these basic planning requirements would supply DOD with needed information that would enable the department to develop realistic, detailed, and informed transition plans and time frames. An internet protocol provides the addressing mechanism that defines how and where information moves across interconnected networks. Increased use of the internet has exhausted available IPv4 address space, spurring the adoption of its successor protocol, IPv6. OMB has required that agencies plan for transitioning from IPv4 to IPv6. Senate and House reports accompanying the 2020 National Defense Authorization Act included provisions for GAO to review DOD's IPv6 transition planning efforts. This report (1) identifies past DOD attempts to transition to IPv6, (2) examines the extent to which DOD has completed OMB's planning requirements for its current transition effort, and (3) identifies DOD's progress in completing its own IPv6 transition activities. To do so, GAO assessed DOD's IPv6 transition plans and documentation against OMB's requirements, reviewed DOD's planned IPv6 transition activities, and interviewed agency officials. GAO is making three recommendations to DOD to develop an inventory of IP compliant devices, an estimate of the IPv6 transition costs, and an analysis of IPv6 transition risk. DOD agreed with the recommendations to develop a cost estimate and risk analysis, but disagreed with the recommendation to develop an inventory of IP-compliant devices. Nevertheless, GAO believes the recommendation to develop an inventory is warranted. For more information, contact Vijay A. D’Souza at (202) 512-6240 or dsouzav@gao.gov.

Categories -

GAO-20-213, Agile Software Development: DHS Has Made Significant Progress in Implementing Leading Practices, but Needs to Take Additional Actions, June 01, 2020

The Department of Homeland Security (DHS) has taken steps to implement selected leading practices in its transition from waterfall, an approach that historically delivered useable software years after program initiation, to Agile software development, which is focused on incremental and rapid delivery of working software in small segments. As shown below, this quick, iterative approach is to deliver results faster and collect user feedback continuously. Comparison of Agile and Waterfall Methods for Developing Software DHS has fully addressed one of three leading practice areas for organization change management and partially addressed the other two. Collectively, these practices advise an organization to plan for, implement, and measure the impact when undertaking a significant change. The department has fully defined plans for transitioning to Agile development. DHS has partially addressed implementation—the department completed 134 activities but deferred roughly 34 percent of planned activities to a later date. These deferred activities are in progress or have not been started. With respect to the third practice, DHS clarified expected outcomes for the transition, such as reduced risk of large, expensive IT failures. However, these outcomes are not tied to target measures. Without these, DHS will not know if the transition is achieving its desired results. DHS has also addressed four of the nine leading practices for adopting Agile software development. For example, the department has modified its acquisition policies to support Agile development methods. However, it needs to take additional steps to, among other things, ensure all staff are appropriately trained and establish expectations for tracking software code quality. By fully addressing leading practices, DHS can reduce the risk of continued problems in developing and acquiring current, as well as, future IT systems. Many of DHS's major IT acquisition programs have taken longer than expected to develop or failed to deliver the desired value. In April 2016, to help improve the department's IT acquisition and management, DHS identified Agile software development as the preferred approach for all of its IT programs and projects. GAO was asked to examine DHS's adoption of Agile software development. The objective of this review was to assess the extent to which DHS has addressed selected leading practices for its transition to the use of Agile software development. GAO identified leading practices for planning, implementing, and measuring organizational change that apply to DHS's transition to Agile through its review of guidance published by the Project Management Institute and GAO. GAO also reviewed work it performed to develop leading practices for Agile software development adoption. GAO analyzed DHS documentation, such as policies, guidance, plans, and working group artifacts and assessed them against the selected leading practices. GAO also reviewed the implementation of selected practices within individual IT projects. Finally, GAO interviewed DHS officials to discuss any practices that were not fully implemented. GAO is making 10 recommendations to DHS to implement selected leading practices for its transition to Agile software development. DHS agreed with GAO's recommendations and described actions taken and planned to address them. For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.

Categories -

GAO-20-424, Wildfire: Information on Forest Service Response, Key Concerns, and Effects of the Chetco Bar Fire, April 29, 2020

The Chetco Bar Fire was first reported in July 2017, burning in the Rogue River-Siskiyou National Forest in Oregon. Because of the remote, steep terrain, initial Forest Service attempts to fight the fire at close range were unsuccessful. The fire grew slowly over the next month. Firefighters, directed by the Forest Service, responded in various ways, such as by constructing “firelines”—clearing vegetation—in an effort to stop the fire's spread. In mid-August, strong, hot winds caused the fire to expand rapidly, from 8,500 acres to more than 90,000 acres over several days, threatening thousands of homes. Firefighters continued constructing firelines and dropped water and retardant on the fire to try to contain it. In September, the weather changed and cooler days and rain moderated the fire. Firefighers fully contained the fire in November (see figure). Final Perimeter of the Chetco Bar Fire in Oregon, November 2017 Forest Service officials and stakeholders raised a number of key concerns about the Forest Service's response to the Chetco Bar Fire. For example, some said that if the Forest Service's response had been more aggressive, it might have kept the fire from growing and threatening homes. Forest Service officials said that in making firefighting decisions, they prioritized firefighter safety and considered the likelihood that a particular response would be successful. The agency has taken steps to improve decision-making for future wildfires, such as developing a tradeoff analysis tool to help decision makers assess firefighting options. Forest Service officials, stakeholders, and documents identifed various effects of the fire. Some of these sources cited negative effects including destruction of six homes, damage to roads and trails, and damage to habitat for the northern spotted owl. However, the fire likely improved habitat for some species, such as woodpeckers that eat beetles that feed on burned trees, according to officials. A wildfire known as the Chetco Bar Fire began in the summer of 2017 in southwest Oregon and burned more than 190,000 acres over nearly 4 months. Since the fire began in a national forest, the Department of Agriculture's Forest Service played a key role in managing the firefighting response. Because the fire also threatened other lands, state and private firefighting entities were also involved. GAO was asked to review the Forest Service's response to and the effects of the Chetco Bar Fire. This report describes (1) key events of the Chetco Bar Fire and the Forest Service's firefighting response, (2) key concerns raised by Forest Service officials and stakeholders about the Forest Service's response, and (3) effects of the fire on local communities and resources. GAO reviewed federal documents related to key events and the response, such as incident action plans and daily status summaries; analyzed reports on effects of the fire; and visited burned areas. GAO also interviewed Forest Service, state, and local officials involved in the response, as well as other stakeholders—such as representatives of nongovernmental organizations and community members—to discuss key concerns and effects of the fire. To identify the stakeholders, GAO reviewed documents and interviewed Forest Service officials and stakeholders, who suggested others to interview. For more information, contact Anne-Marie Fennell at (202) 512-3841 or fennella@gao.gov.

Categories -

GAO-20-371, Defense Health Care: Additional Information and Monitoring Needed to Better Position DOD for Restructuring Medical Treatment Facilities, May 29, 2020

The Department of Defense's (DOD) methodology to determine Medical Treatment Facilities' (MTF) restructuring actions in its implementation plan (the Plan) prioritized statutory elements. These included military readiness, adequacy of nearby civilian health care, and cost-effectiveness. However, DOD based part of its methodology on incomplete and inaccurate information. Civilian health care assessments did not consistently account for provider quality. DOD generally assumed that identified providers were of sufficient quality. GAO found that DOD considered the quality of nearby civilian providers for one of 11 selected MTFs. In this instance, information from the MTF about the variable quality of nearby civilian health care led to DOD's determination that such care was not yet adequate to support MTF restructuring. Officials GAO interviewed from other MTFs discussed concerns about quality of care from nearby civilian providers. Civilian health care assessments did not account for access to an accurate and adequate number of providers near MTFs. DOD may have included in its assessments providers who do not meet DOD's access-to-care standards for certain beneficiaries. For 11 selected MTFs, GAO found that about 56 percent of civilian primary care providers and 42 percent of civilian specialty providers that DOD identified as being nearby exceeded DOD's drive-time standards. Including such providers in its assessments means that DOD could have overestimated the adequacy of civilian health care providers in proximity to some MTFs. Cost-effectiveness assessments were based on a single set of assumptions. DOD concluded that civilian health care was more cost-effective than care in its MTFs without considering other assumptions that could affect its conclusions. For example, DOD applied assumptions about the cost of military personnel salaries, MTF workloads, and reimbursement rates for TRICARE that likely underestimated the cost-effectiveness of MTFs. GAO also found that DOD conducted limited assessments of MTFs' support to the readiness of military primary care and nonphysician medical providers—an issue DOD officials stated they will address during MTF transitions. Until DOD resolves methodology gaps by using more complete and accurate information about civilian health care quality, access, and cost-effectiveness, DOD leaders may not fully understand risks to their objectives in restructuring future MTFs. DOD's Plan identified actions needed to facilitate MTF restructuring, but the department is not well positioned to execute the transitions. DOD's Plan poses challenges for the military departments and the Defense Health Agency (DHA) related to MTF providers' readiness. Yet, DOD plans to move forward with restructuring without a process to monitor progress and challenges. By establishing roles and responsibilities for executing and monitoring MTF restructuring transitions, DOD can be better positioned to navigate organizational boundaries between the DHA that manages the MTFs and the military departments that provide staff. Additionally, by defining measurable objectives and progress thresholds, DOD can better ensure it is meeting objectives and facilitating timely adjustments to MTF restructuring transitions, as needed. DOD's MTFs are critical to the medical readiness of servicemembers and providing readiness training for about 107,000 active-duty medical providers. About 9.6 million beneficiaries are eligible for DOD health care through MTFs and civilian network providers. To further support readiness, the National Defense Authorization Act (NDAA) for Fiscal Year 2017 required DOD to plan to restructure MTFs. DOD's February 2020 Plan included decreasing capabilities at 43 MTFs and closing five. The NDAA included a provision for GAO to review the Plan. This report addresses the extent to which 1) the Plan's methodology prioritized statutory elements and considered complete information, and 2) DOD is positioned to execute MTF restructuring transitions. GAO reviewed DOD's Plan, MTF workload and cost data, and interviewed DOD leaders and officials at 11 MTFs selected on the basis of military department, restructuring action, and location. GAO is making six recommendations, including that future MTF assessments use more complete and accurate information about civilian health care quality, access, and cost-effectiveness; and that DOD establish roles, responsibilities, and progress thresholds for MTF transitions. DOD partially concurred with four recommendations and concurred with two. As discussed in the report, GAO continues to believe that all six recommendations are warranted. For more information, contact Brenda S. Farrell at (202) 512-3604 or farrellb@gao.gov.

Categories -

GAO-20-436, Whistleblowers: Office of Special Counsel Should Require Information on the Probationary Status of Whistleblowers, May 28, 2020

GAO found that existing data are not sufficient to determine if the rates of filing whistleblower disclosures, retaliation complaints, or both vary by probationary status. The average annual number of probationary and permanent federal employees from fiscal years 2014 to 2018 was approximately 1.9 million employees. Over this time frame, an average of approximately 2,800 employees—about 0.15 percent—filed complaints each year. Existing data were not sufficient to determine probationary status of employees for over 18 percent of each year's complaints. Therefore, it is not possible to determine whether probationary employees file at lower, comparable, or higher rates than their prevalence in the overall employee population. Specifically, probationary employees represented about 13.5 percent, on average, of the federal workforce, and GAO estimates that they filed from 6.6 percent to 18.2 percent of complaints. GAO estimates suggest that both permanent and probationary employees who filed complaints were consistently terminated at higher rates than federal employees government-wide. For example, in fiscal year 2018, the termination rate for probationary employees government-wide was 1.1 percent, while the lowest estimated rate of termination among probationary employees who filed a complaint was 10.1 percent. For permanent employees, the overall termination rate was 0.3 percent, while the lowest estimated rate for filers was 2.9 percent. GAO estimates also suggest that probationary employees who filed complaints were terminated at higher rates than permanent employees who did the same. For example, in fiscal year 2018: The lowest estimated termination rate for probationary employees who filed whistleblower disclosures (10.1 percent) exceeded the maximum estimated rate for permanent employees who did the same (5.2 percent). The lowest estimated termination rate for probationary employees who filed retaliation complaints (17.4 percent) exceeded the maximum estimated rate for permanent employees who did the same (9.9 percent). The lowest estimated termination rate for probationary employees who filed both types (14.1 percent) exceeded the maximum estimated rate for permanent employees who did the same (13.2 percent). The Office of Special Counsel's (OSC) complaint form allows but does not require complainants to identify whether they are probationary or permanent employees when filing a whistleblower disclosure or retaliation complaint. OSC officials said they try to limit mandatory data fields to the information that is necessary for processing a case, and that they have no plans to do any analysis of employees in their probationary period who file claims. However, the higher rates of termination GAO found for filers generally, and probationary employees specifically, suggests that there could be a risk of unequal treatment. Without first identifying probationary employees who file whistleblower claims, OSC would lack complete data should it decide at some point to analyze the effect of probationary status on filers. Collecting and maintaining such data on every claimant would provide OSC or other entities the ability to analyze termination rates or other issues related to a whistleblower's probationary status. Federal employee whistleblowers—individuals who report allegations of wrongdoing—potentially help to safeguard the government from fraud, waste, and abuse. OSC was created to help protect whistleblowers. Probationary employees—generally those with less than 1 or 2 years of federal service—can be especially vulnerable to reprisal because they have fewer protections from adverse personnel actions, including termination. A 2017 law included a provision for GAO to examine retaliation against whistleblowers in their probationary period. This report examines (1) the extent to which probationary employees filed whistleblower disclosures or reprisal complaints, (2) termination rates of complainants, and (3) OSC procedures related to probationary employees. GAO used complaint data and workforce data to identify the probationary status of employees who filed claims with OSC from fiscal year 2014 to 2018 (the most recent full years of available data); estimated the number of instances where claimants were terminated; and reviewed OSC procedures. GAO recommends that OSC require claimants to identify their status as permanent or probationary employees. OSC disagreed with GAO's recommendation. GAO continues to believe the recommendation is valid, as discussed in the report. For more information, contact Yvonne D. Jones at (202) 512-2717 or jonesy@gao.gov.

Categories -

GAO-20-527SP, Science & Tech Spotlight: Quantum Technologies, May 28, 2020

Why This Matters Quantum technologies could revolutionize sensors, computation, and communication. As a result, they could strengthen the country's national security position and better protect sensitive and classified information, although many years of development may be needed to do so. The Technology What is it? Quantum technologies build on the study of the smallest particles of energy and matter to collect, generate, and process information in ways not achievable with existing technologies. Quantum sensors could be used in science, industry, and navigation to make more precise and accurate measurements and offer potential benefits for critical defense and civilian applications, including maintaining timing and position accuracy in GPS-challenged or denied environments. Quantum communications could allow businesses and governments to securely transmit information. Quantum computers could dramatically accelerate computation for some applications, such as machine learning and decrypting information. Figure 1. Trapped Ion Qubit Test Bed in the Quantum Information and Integrated Nanosystems Group at Lincoln Laboratory. Qubit is a term for a quantum bit. How does it work? Quantum technologies take advantage of counterintuitive properties that apply at the smallest scale. One property is a connection between two or more particles called "entanglement," in which characteristics are linked between particles, and measuring one particle reveals information about the others. Another property is "superposition," which allows a particle, while unobserved, to be in all possible observable states simultaneously. A third property is the "no cloning theorem," which prohibits the copying of unknown quantum states. Quantum technologies use a combination of these properties to sense, communicate, and compute. For example, quantum sensors could use entangled particles of light to overcome stealth technologies and be resistant to advanced radar jamming. Quantum communication uses these properties to securely exchange encryption keys and determine if a message has been intercepted. And the "quantum bits" or "qubits" in a quantum computer use superposition and entanglement to process data in unique and potentially more effective ways. How mature is it? Quantum technologies are not yet fully functional, although some are more mature than others. Quantum sensors are the most established, with some applications already in use. These technologies, which include atomic clocks and gyroscopes, need further development to reach their potential, likely requiring at least 5 more years. Quantum communications have progressed in the last decade, with advances in the use of fiber optics or satellites for quantum key distribution, to ensure that quantum cryptographic keys cannot be intercepted without the eavesdropper being detected. However, such technologies may have limited range. Fiber optic links become ineffective for quantum key distribution at distances over 60 miles. Satellite links have been demonstrated for ground distances of up to 4,700 miles, but such demonstrations are not entirely based on quantum physics and therefore are not fully secure. Fiber optic technologies will likely require at least 10 years of development before they can be used for long-distance secure networks. Satellite communications may be available sooner, but will require more development before they are fully secure and useful for practical quantum communications. Quantum computers are available with dozens of the fundamental components known as physical qubits, although a general use quantum computer may need more than 100,000 physical qubits. To develop quantum computers that can solve problems of practical significance—such as factoring the large numbers used in encryption schemes—it will be necessary to improve their hardware; such efforts could take 20 years. For example, chips would need to hold more physical qubits while maintaining accuracy and precision. Opportunities Quantum technologies may enable the following advances, assuming extensive technological progress: Improve measurement. Quantum sensors may be able to locate previously invisible or stealth targets, or determine an object’s location and speed, even if GPS is jammed or spoofed, or if a satellite link is lost. Enable secure communication. Quantum communications may eventually allow for completely secure quantum digital signatures, secure sharing of sensitive and classified information, or other applications. Solve complex computational problems. Quantum computers may one day be able to quickly complete tasks that classical computers cannot carry out efficiently—such as factoring large numbers, a task central to cracking current cryptographic systems. Create a quantum internet. Future communication technologies may be able to securely transmit information between quantum computers. The resulting quantum internet would be inaccessible to outside computers, because any attempts to access the network would reveal a hacker’s presence. Challenges Quantum technologies face many challenges to reaching full potential and, once developed, will pose serious challenges to information security. Institutional boundaries. Quantum technology development will depend on collaboration across institutions and skill sets, and on a multidisciplinary workforce with training in quantum physics, engineering, mathematics, and computer science. Technology development. Quantum technologies depend heavily on developing new capabilities. For example, quantum computers use extremely fragile qubits that require refrigeration technologies that maintain temperatures close to absolute zero, requiring qubits that compute at warmer temperatures, along with technologies to better insulate them from the environment. Further, limited infrastructure may be available to test and evaluate these technologies. Determining limits. Quantum sensors will need to surpass current operating limits in order to achieve the ultimate quantum physics limits to precision measurement. For example, it may be necessary to develop new materials in order to increase precision. Application and algorithm development. Quantum computers will speed up some applications, such as machine learning, chemistry modeling, and cryptography, and each application needs work in developing the quantum algorithms the computer would use. But quantum computers will not speed up the solving of some problems, such as those requiring large amounts of data. Transitioning cybersecurity. A full-scale quantum computer has the potential to break standard encryption technologies, creating a major information security risk. The cybersecurity infrastructure will need to evolve to create quantum-proof encryption and protect existing information. Policy Context and Questions Quantum technologies will require additional years of development and could revolutionize how people measure, communicate, and compute. The development of such technologies raises many policy questions: How can the United States build a workforce with the diverse, cross-cutting skills needed to develop quantum technologies? What are the national security implications of other nations developing quantum technologies? How might the United States prepare and respond? What are the implications of quantum sensor technologies that could track stealth targets? What are the implications of a quantum computer being able to break present-day encryption schemes? For more information, contact Karen Howard at (202) 512-6888 or HowardK@gao.gov.

Categories -

GAO-20-123, Cybersecurity: Selected Federal Agencies Need to Coordinate on Requirements and Assessments of States, May 27, 2020

Although the Centers for Medicare and Medicaid Services (CMS), Federal Bureau of Investigation (FBI), Internal Revenue Service (IRS), and Social Security Administration (SSA) each established requirements to secure data that states receive, these requirements often had conflicting parameters. Such parameters involve agencies defining specific values like the number of consecutive unsuccessful logon attempts prior to locking out the user. Among the four federal agencies, the percentage of total requirements with conflicting parameters ranged from 49 percent to 79 percent. Regarding variance with National Institute of Standards and Technology guidance, GAO found that the extent to which the four agencies did not fully address guidance varied from 9 percent to 53 percent of total requirements. The variances were due in part to the federal agencies' insufficient coordination in establishing requirements. Although the Office of Management and Budget's (OMB) Circular A-130 requires agencies to coordinate, OMB has not ensured that agencies have done so. Further, while federal agencies' variance among requirements may be justified in some cases because of particular agency mission needs, the resulting impact on states is significant, according to state chief information security officers (see figure). Extent of Impacts Identified by State Chief Information Security Officers as a Result of Variances in Selected Federal Agencies' Cybersecurity Requirements Note: Not all respondents answered all survey questions. The figure is based on 46 responses. The four federal agencies that GAO reviewed either fully or partially had policies for coordinating assessments with states, but none of them had policies for coordinating assessments with each other. State chief information security officers that GAO surveyed reinforced the need to coordinate assessments by identifying impacts on state agencies' costs, including multiple federal agencies that requested the same documentation. Coordinating with state and federal agencies when assessing state agencies' cybersecurity may help to minimize states' cost and time impacts and reduce associated federal costs. Federal agencies reported spending about $45 million for fiscal years 2016 through 2018 on assessments of state agencies' cybersecurity. To protect data that are shared with state government agencies, federal agencies have established cybersecurity requirements and related compliance assessment programs. Specifically, they have numerous cybersecurity requirements for states to follow when accessing, storing, and transmitting federal data. GAO was asked to evaluate federal agencies' cybersecurity requirements and related assessment programs for state agencies. The objectives were to determine the extent to which (1) selected federal agencies' cybersecurity requirements for state agencies varied with each other and federal guidance, and (2) federal agencies had policies for coordinating their assessments of state agencies' cybersecurity. GAO reviewed four federal agencies that shared data with states and had assessment programs: CMS, FBI, IRS, and SSA. GAO compared, among other things, each agency's cybersecurity requirements to federal guidance and to other selected agencies' requirements; and reviewed federal agencies' policies for conducting assessments. In addition, GAO examined OMB's efforts to foster coordination among federal agencies. GAO also surveyed and received responses from chief information security officers in 50 out of 55 U.S. states, territories, and the District of Columbia to obtain their perspectives. GAO is making 12 recommendations to the four selected agencies and to OMB. Three agencies agreed with the recommendations and one agency (IRS) partially agreed or disagreed with them. OMB did not provide comments. GAO continues to believe all recommendations are warranted. For more information, contact Vijay D’Souza at (202) 512-6240 or dsouzav@gao.gov.

Categories -