What GAO Found The COVID-19 pandemic disrupted the maritime shipping industry, causing congested ports, high demand for cargo space on ships, and volatile shipping rates. Selected shippers of hazardous materials (hazmat), which include chemicals and other types of cargo critical to the U.S. economy, told GAO they were particularly affected during the peak of the pandemic (2020 through 2022). All six hazmat shippers GAO interviewed said they had difficulty securing space on ships, and five said they experienced long delays. Shippers attributed these challenges to safety risks and additional requirements associated with hazmat, which made it less desirable for carriers to accommodate on their ships. GAO found that while hazmat imports and exports increased from 2018 through 2020, hazmat imports stagnated and exports decreased from 2020 through 2022. Hazmat imports increased almost 32 percent from 2018 through 2020, but grew less than 1 percent afterward. Hazmat exports increased 19 percent from 2018 through 2020 and declined by 7 percent afterward. Conversely, non-hazmat imports and exports grew at a higher rate during the pandemic, which carriers attributed to non-hazmat shippers paying higher shipping rates. Hazardous Materials Imports and Exports Transported on Cargo Ships in Twenty-Foot Equivalent Units, 2018–2022 The Federal Maritime Commission (FMC) is responsible for ensuring a competitive and reliable ocean transportation system for all U.S. shippers. Its oversight efforts include receiving complaints from shippers about carriers. FMC can use this information to respond to shippers' concerns and initiate investigations of carriers. However, GAO found several shortcomings in how FMC collects, manages, and uses complaint data: (1) FMC does not consistently capture certain details—such as type of cargo, whether cargo is hazmat, and incident location—which limits FMC's ability to analyze complaint trends; and (2) key FMC procedures for managing the data are out of date and incomplete. GAO also found that while FMC plans to modernize how it collects, manages, and uses information from complaints, it lacks a strategy to guide these efforts. Such a strategy could include key information on planned updates, such as goals, required investments, and expected outcomes. Taking steps to address these shortcomings and developing a data strategy could help FMC more effectively use data to oversee the maritime shipping industry. Why GAO Did This Study The maritime shipping industry is vital to the global economy and accounted for $2.3 trillion in U.S. trade in 2022. FMC is responsible for overseeing this industry, including protecting U.S. shippers from unfair or unjustly discriminatory practices related to securing vessel space. The Ocean Shipping Reform Act of 2022 includes a provision for GAO to examine whether carriers disadvantaged shippers of hazmat during the pandemic through the systemic and unreasonable denial of vessel space or other means. This report examines, among other things: (1) shippers' experiences transporting hazmat during the pandemic; (2) how the amount of hazmat imports and exports changed from 2018 through 2022 (the most recent data available at the time of GAO's review); and (3) actions FMC has taken to collect, manage, and use its complaint data. For these objectives, GAO reviewed pertinent FMC regulations and policies; analyzed trade data; visited two ports; and interviewed FMC officials as well as representatives of six shippers and five carriers. GAO selected these shippers and carriers based on a review of recent FMC rulemakings and on stakeholders' recommendations.

What GAO Found The accuracy of biometric identification technologies has improved according to the body of research conducted in a laboratory setting, particularly for facial recognition, but gaps remain in understanding real-world performance. Various factors, such as a lack of demographic diversity in the datasets on which biometric algorithms are trained, can lead to differences in accuracy across demographic groups according to literature GAO reviewed and researchers GAO interviewed. While differences in technologies' performance have been studied in laboratory testing, performance in real-world settings has been much less extensively studied because, for example, of challenges acquiring meaningful samples across demographic groups. Selected stakeholders provided examples of positive and negative effects associated with the use of biometric identification in communities facing historical patterns of disadvantage. Positive examples included convenience and increased access to public benefits and services, while negative examples included false arrests and subjecting communities to surveillance. The selected stakeholders identified concerns about the use of biometric identification technologies, which GAO grouped into six areas: biased outcomes, limitations understanding technology performance and effects, data and privacy, systemic inequity, lack of transparency, and technical expertise of users. GAO identified five key considerations that could help policymakers address one or more areas of stakeholder concern through a review of relevant literature and stakeholder interviews. These key considerations include: (1) conducting comprehensive evaluations to provide a fuller picture of the effects of biometric identification technologies, (2) encouraging more widespread sharing of information about the use of the technologies, (3) applying a risk-based approach in developing regulation and guidance, (4) enacting comprehensive privacy laws or guidance, and (5) providing technology users with additional training and guidance on how to select and use relevant technologies appropriately. Six Stakeholder Concerns About the Use of Biometric Identification Technologies and Five Considerations for Addressing Concerns Why GAO Did This Study Biometric identification is the recognition of individuals based on their biological characteristics. These technologies include facial recognition, iris scanning, and fingerprinting, among others. Advocates for the use of biometric identification point to potential for the technologies to increase convenience, security, and efficiency. At the same time, several organizations have raised concerns about the accuracy of the technologies and their effect on privacy and civil liberties. The Research and Development, Competition, and Innovation Act includes a provision for GAO to examine “the impact of biometric identification technologies on historically marginalized communities, including low-income communities and minority religious, racial, and ethnic groups.” This report (1) describes literature and researcher views on the accuracy of biometric identification technologies across populations; (2) describes selected stakeholders' perspectives on how, if at all, use of biometric identification technologies affects access to resources or levels of inequality for communities that have faced historical patterns of disadvantage; and (3) identifies key considerations that could help address stakeholder concerns about the use of biometric identification technologies. GAO reviewed academic literature, government reports, and industry documents. GAO also interviewed researchers and a range of stakeholders, including community advocates; technology vendors; and local, state, and federal governments. For more information, contact Candice N. Wright at (202) 512-6888 or WrightC@gao.gov.

What GAO Found The Single Audit Act requires nonfederal entities that spend $750,000 or more in federal awards in a year to undergo a single audit, which is an audit of an entity's financial statements and federal awards, or in select cases a program-specific audit, and submit the results to the Federal Audit Clearinghouse (FAC). The U.S. Census Bureau maintained the FAC until October 2023, when the Office of Management and Budget (OMB) designated the General Services Administration (GSA) to assume responsibilities. GAO identified some issues with FAC processes that affect the reliability and usefulness of single audit information. For example, the FAC currently cannot identify recipients that should have submitted a single audit but did not. As a result, federal agencies may not have all the data they need to conduct oversight. In addition, OMB has not designated an entity to conduct a government-wide single audit quality review since 2007. Given the trillions of dollars of COVID-19-related financial assistance provided in recent years, a government-wide review is increasingly important to help identify issues in the quality of single audits that can lead to unreliable FAC information. GAO also found that $1.17 trillion of the reported $6.97 trillion of direct federal award funds spent by recipients from 2017 through 2021 were linked to single audit findings that were both severe (contributed to an auditor's modified opinion or material weakness) and persistent (repeated over multiple years). Severity and Persistence of Single Audit Findings by Direct Expenditure of Federal Awards, 2017-2021 Note: Numbers may not sum due to rounding. For more details, see fig. 4 in GAO-24-106173. These findings were also related to $69 billion of COVID-19 relief funds spent from 2020 to 2021. GAO identified 213 findings reported in 2015 or earlier that remained unresolved in 2021. Why GAO Did This Study Federal award amounts distributed to recipients have increased substantially since the onset of the COVID-19 pandemic. For fiscal year 2023, $1.1 trillion of awards were distributed and about 40,000 single audits were submitted to the FAC. Single audits are an important tool to help ensure that award recipients are complying with the requirements of their awards. The CARES Act includes a provision for GAO to conduct oversight of funds made available to respond to the COVID-19 pandemic. This report examines (1) FAC data reliability for oversight purposes, including oversight of COVID-19 relief funding; (2) processes involved in using and overseeing the FAC; and (3) the extent to which federal award expenditures were linked to severe and persistent single audit findings reported in the FAC. GAO analyzed FAC data from 2015 through 2021 (the most recent complete data available at the time of review). GAO interviewed selected federal agencies and audit community members about their use of the FAC.

What GAO Found The Dodd-Frank Wall Street Reform and Consumer Protection Act created the Consumer Financial Protection Bureau (CFPB) to regulate the offering and provision of consumer financial products or services under federal consumer financial laws. The act also provided CFPB authorities related to supervising and enforcing federal consumer financial laws, handling consumer complaints, promoting financial education, and monitoring financial markets for risks to consumers. CFPB is an independent bureau within the Federal Reserve System and is funded primarily through transfers from the combined earnings of the Federal Reserve System. CFPB operates within six divisions, including divisions focused on consumer response and education; research, monitoring, and regulations; and supervision, enforcement, and fair lending. GAO audits CFPB's annual financial statements, in accordance with statutory requirements. Since 2011, GAO has found that CFPB's financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles. In addition, GAO has not identified any reportable noncompliance with provisions of applicable laws, regulations, contracts, or grant agreements it tested. In all but one annual audit, GAO found that CFPB maintained, in all material respects, effective internal control over financial reporting. In November 2014, GAO reported that CFPB's internal control over financial reporting was not effective for fiscal year 2014 because of a material weakness in internal control over the reporting of accounts payable. GAO found that CFPB took significant actions in fiscal year 2015 that sufficiently addressed the deficiencies related to the material weakness. GAO also identified deficiencies that collectively constituted significant deficiencies in CFPB's internal control over financial reporting in fiscal years 2013 through 2016. CFPB addressed these issues. GAO conducts performance audits of CFPB that cover a variety of the bureau's operations in response to congressional mandates or requests. In recent years, performance audits have addressed topics including CFPB's analysis of certain mortgage data, its personnel management, and its oversight and enforcement of fair lending laws. GAO's audits have also reviewed CFPB's workforce expertise related to financial technology and its efforts to address consumer risks from financial technology and blockchain products and services. For example: In September 2023, GAO recommended that CFPB conduct strategic workforce planning that addresses financial technology; develop performance goals and measures for its Office of Competition and Innovation that are clear, targeted, and measurable; and develop performance measures that are specific to its strategic objectives related to supervisory technologies. In June 2023, GAO recommended that CFPB work with the other financial regulators to establish or adapt an existing formal coordination mechanism to collectively identify risks posed by blockchain-related products and services and formulate a timely regulatory response. CFPB neither agreed nor disagreed with these recommendations. GAO will track CFPB's progress on these recommendations over time. Why GAO Did This Study Since CFPB began operating in 2011, GAO has conducted oversight of various aspects of the bureau's operations. This statement discusses (1) CFPB's mission and structure, (2) GAO's financial audits of CFPB's annual financial statements, and (3) GAO's performance audits of CFPB's operations. This statement is based on information from GAO's prior financial and performance audits as well as publicly available CFPB information, including its most recent strategic plan.

What GAO Found From fiscal years 2018 through 2022 the federal government obligated more than $33 billion for the purchase of food sourced from within the United States from domestic vendors. During this time, the United States Department of Agriculture's (USDA) Agricultural Marketing Service and the Department of Defense's (DOD) Defense Logistics Agency accounted for more than 90 percent of all federal purchases of domestic food. These foods are purchased for Agricultural Marketing Service and Defense Logistics Agency clients, including schools, food banks, and military installations, and are a vital component of our nation's food safety net. Both the Agricultural Marketing Service and Defense Logistics Agency purchase food in response to requests from their clients. These requests reflect dietary guidelines tailored to specific needs. The Agricultural Marketing Service and Defense Logistics Agency obligated nearly $30 billion for food purchases in fiscal years 2018 through 2022. Of that amount, the agencies obligated $13.6 billion (over 45 percent) on contracts with small businesses, according to GAO's analysis of federal procurement data. Both agencies are generally required by law to purchase domestic food, but there are no requirements that this food be locally grown, and neither the Agricultural Marketing Service nor Defense Logistics Agency collects comprehensive data on such purchases. However, both agencies encourage vendors to source locally grown food where available. In addition, since fiscal year 2021, the Agricultural Marketing Service has provided more than $600 million in financial assistance to states, territories, and tribal governments to purchase foods produced within the state, or within 400 miles of the delivery destination, to help support local, regional, and underserved producers. Through the USDA DOD Fresh Fruit and Vegetable Program—which provides fresh fruits and vegetables to schools, Tribes, and tribal organizations in partnership with the USDA—the Defense Logistics Agency purchased more than $287 million of locally grown food products from fiscal years 2018 through 2022. Why GAO Did This Study The Agricultural Marketing Service is the primary purchasing agency for USDA and uses contracts to purchase a variety of domestic food products from vendors for use by the agency's clients, such as schools and food banks. The Defense Logistics Agency procures and distributes food through the DOD supply chain, including to military installations. Federal regulations require agencies to contract with small businesses, including for the purchase of food, to the extent practicable. The Agricultural Marketing Service and Defense Logistics Agency are required to purchase domestic food products. However, they are not required to purchase food that is locally grown. GAO was asked to examine issues related to federal purchases of food, including the extent of small business participation and purchases of locally grown food. This report provides information about how the Agricultural Marketing Service and Defense Logistics Agency make decisions about the types of food to purchase, the amount they purchased from small businesses, and their purchases of locally grown food in fiscal years 2018 through 2022, the most recent data available at the time of GAO's review. GAO reviewed relevant laws and agency documentation, analyzed obligations data, and interviewed agency officials as well as selected Agricultural Marketing Service and Defense Logistics Agency clients. For more information, contact Steve Morris at (202) 512-3841 or morriss@gao.gov.

What GAO Found Nonjudicial punishment, such as forfeiture of pay or a reduction in grade, is a tool to deter misconduct, maintain discipline, and improve performance without going through the court-martial process. Service members onboard a vessel at sea cannot refuse nonjudicial punishment and demand a trial by court-martial when a commanding officer uses the vessel exception. The Navy and the Marine Corps are refining guidance on the use of the vessel exception for nonjudicial punishment and plan to evaluate policy changes as new guidance is issued. For example, in November 2023, the Department of the Navy issued guidance that restricts use of the vessel exception when a ship is undergoing maintenance and is not operational. With these ongoing efforts, the Department of the Navy is on track to improve oversight of nonjudicial punishment and the use of the vessel exception. The Navy and the Marine Corps have processes in place to report nonjudicial punishment data. However, GAO found, and Navy and Marine Corps officials acknowledged, that the accuracy and completeness of nonjudicial punishment data are limited due to human error and lack of automated processes. The Navy planned to use an automated system by October 2022 to collect nonjudicial punishment data but did not meet this goal due to funding constraints, according to Navy officials. Further, although the Navy issued a revised policy that clarifies reporting on the use of the vessel exception in January 2024, the policy does not address data quality issues stemming from the manual compilation of data. Without establishing a time frame to automate the collection and maintenance of quality nonjudicial punishment data and then implementing these automated processes, the Navy, the Marine Corps, and Congress may be hindered in their ability to provide sufficient oversight of nonjudicial punishment and the use of the vessel exception. Such oversight would include the use of quality data to analyze trends in military justice processes and to measure the effectiveness of discipline-related initiatives. Navy and Marine Corps Process for Reporting Nonjudicial Punishment Data, as of January 2024 Why GAO Did This Study The Navy and the Marine Corps impose nonjudicial punishment as a disciplinary measure for minor offenses. A service member's career can be stigmatized by a record of nonjudicial punishment, which can lead to involuntary separation with less than an honorable discharge, according to Navy and Marine Corps officials. House Report 117-397 includes a provision for GAO to review the Department of the Navy's use of the vessel exception and policies related to nonjudicial punishment. Among other things, this report 1) describes Navy and Marine Corps guidance for using the vessel exception, and 2) assesses the extent to which the Navy and the Marine Corps report quality data for oversight of the vessel exception. GAO analyzed guidance, policies, and data; interviewed relevant officials; and conducted one site visit onboard a vessel at sea.

What GAO Found Six selected state Medicaid programs GAO reviewed varied in their ability to obtain data on beneficiaries with COVID-19 vaccinations from state immunization information systems during the COVID-19 public health emergency from 2020-2023. During the emergency, these systems—maintained by state public health departments—were the primary source of such data. This was because providers administering COVID-19 vaccinations were required to report to them. Specifically, state policies—which govern provider reporting requirements and data sharing—in effect prior to the emergency enabled Medicaid programs in four selected states to obtain patient-level vaccination data from state immunization information systems. In contrast, state policies in effect prior to the emergency in two selected states either did not specify or did not permit such data exchange. COVID-19 Vaccination Data Collection and Transmission to Certain State Medicaid Programs State officials and stakeholders described interoperability gaps between state immunization and Medicaid systems, the volume of vaccination data collected, and other factors as affecting the availability and quality of COVID-19 vaccination data collected by immunization information systems during the COVID-19 public health emergency. State officials described how some factors resulted from the public health emergency. They also noted solutions they implemented as the emergency progressed, such as using a temporary storage system for the increased volume of data. State and federal officials also identified state policies as continuing to be important drivers of vaccination data collection and data sharing with Medicaid programs after the public health emergency. In the four selected states with access to patient-level data, GAO found that Medicaid programs used the data to implement two types of strategies to increase COVID-19 vaccination rates: incentives and targeted outreach. For example, one state awarded incentive payments to its 25 managed care organizations based on performance across 10 vaccination measures. Additionally, Medicaid and managed care officials in five of the six states described using data from other sources, such as Medicaid claims, to increase COVID-19 vaccination rates among high-risk and vulnerable populations. For example, Medicaid officials in these states told us Medicaid claims data helped them to identify and focus efforts on beneficiaries most at risk of adverse outcomes from COVID-19. Although states reported using various strategies to increase vaccinations, the effectiveness of their specific strategies is unclear due to the nature of the COVID-19 public health emergency. According to Medicaid officials, it is difficult to attribute changes in Medicaid beneficiaries' vaccination rates to a specific strategy, because the emergency required multiple concurrent strategies. Why GAO Did This Study Given the importance of COVID-19 vaccinations in preventing severe outcomes, such as hospitalizations and death, ensuring Medicaid beneficiaries receive the vaccine is important. However, state Medicaid programs did not always receive information on the vaccination status of beneficiaries directly from providers during the public health emergency. This was in part because vaccines were purchased by the federal government rather than by insurers like Medicaid. GAO was asked to examine Medicaid programs' access to and use of data from immunization information systems to improve COVID-19 vaccination rates among beneficiaries, and factors contributing to data completeness. This report describes (1) the extent to which selected states' Medicaid programs obtained patient-level COVID-19 vaccination data, and any factors affecting data availability and quality; and (2) how that data helped inform selected states' strategies to improve COVID-19 vaccination rates, and information on the effectiveness of such strategies. GAO reviewed relevant federal laws, interviewed federal agency officials, as well as reviewed information and interviewed officials from state public health departments and Medicaid programs in six states. The states were selected based on characteristics of their Medicaid and immunization programs, among other various factors. GAO also interviewed 10 stakeholder organizations, including those representing immunization managers and Medicaid directors. For more information, contact Catina B. Latham at (202) 512-7114 or lathamc@gao.gov.

What GAO Found The Department of Defense (DOD) has deployed its new federal electronic health record (EHR) system, called MHS GENESIS, at military treatment facilities. The final system deployment took place in March 2024 at the Federal Health Care Center, a joint DOD and VA facility. As of March 2024, DOD and VA reported that they had completed the 35 critical tasks and milestones required to implement the new system at the joint facility, but the departments have opportunities to further integrate their systems. Accordingly, DOD and VA began a process to resolve differences between their respective workflows and EHR configurations to increase integration. However, the process did not result in a fully integrated approach due to reasons such as legal and policy barriers. Until it addresses these barriers, DOD and VA will likely not meet the integration goal established for the Federal Health Care Center. In 2022, DOD began conducting an annual survey of MHS GENESIS user satisfaction and worked with a contractor to analyze survey data. User satisfaction rates for DOD's new system have improved over the past 2 years. However, the user satisfaction rates for the new system were generally lower than the rates for users of DOD's legacy systems and for private-sector users of the commercial version of MHS GENESIS (see table). User Satisfaction Results from DOD's 2023 Annual User Satisfaction Survey Compared to Results for DOD's Legacy Systems and Similar Private-Sector Systems Survey question topic New electronic health record Legacy systems Private-sector systems Patient-centered care 39% 56% 46% Efficiency 20 36 32 Downtime 49 45 67 Response time 21 31 40 Quality care 29 46 50 Source: GAO analysis of Department of Defense (DOD) information. │ GAO 24 106187 Note: DOD legacy system data come from 2022 survey results. Data for DOD's new electronic health record and for private-sector systems come from 2023 survey results. Although user satisfaction levels are below those for its other relevant systems, DOD has not yet established satisfaction goals. Without goals for improving user satisfaction, the department will be limited in its ability to measure progress, plan for improvements, and ensure the system meets users' needs. DOD's Program Executive Office has implemented an issue management plan to address key issues affecting MHS GENESIS. However, it has not been able to resolve problems with its dental module, called Dentrix. These problems, which began in 2018, continued to plague Dentrix through January 2024. This led to DOD elevating the issue to the severe level and deciding to identify Dentrix alternatives. However, DOD does not yet have a plan or schedule for identifying alternatives. Until the office resolves the Dentrix issue, the new federal EHR will not provide critical functionality to dentists who treat DOD beneficiaries. Why GAO Did This Study DOD's health care system is one of the largest in the nation, providing crucial services to millions of service members, retirees, and their family members. The department has taken major steps to modernize the EHR systems it uses to manage patient health information. Federal law includes provisions for GAO to review DOD's EHR system modernization. This report examines (1) the progress DOD and VA have made toward implementing the federal electronic health record system at the Federal Health Care Center, (2) the extent to which DOD has identified user satisfaction with the system, and (3) the extent to which DOD has managed key issues affecting system implementation. GAO analyzed agency documentation, such as implementation plans and results of user satisfaction surveys. GAO also reviewed program documentation on long-standing EHR-related issues, including issues with deploying the dental module. In addition, GAO observed monthly program management meetings where top program risks were discussed, interviewed department officials, and conducted a site visit to the Federal Health Care Center.

What GAO Found Among its 115 provisions, the order contains 55 leadership and oversight requirements (actions to assist or direct the federal agencies in implementing the order). The three key agencies primarily responsible for the implementation of these requirements are the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget (OMB). These agencies fully completed 49 of the 55 requirements, partially completed five, and one was not applicable (see table below). Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected. Progress in Implementing Executive Order 14028 Leadership and Oversight Requirements, as of March 2024   Executive Order Section Number of requirements that are: Fully complete Partially complete Not complete Not applicable Removing Barriers to Sharing Threat Information 6 1 — — Modernizing Federal Government Cybersecurity 8 — — — Enhancing Software Supply Chain Security 16 1 — — Establishing a Cyber Safety Review Board 6 1 — — Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents 4 — — 1 Improving Detection of Cybersecurity Vulnerabilities and Incidents 7 1 — — Improving the Federal Government's Investigative and Remediation Capabilities 2 1 — — Total 49 5 — 1 Legend: fully complete = those where the actions required are complete; partially complete = those where GAO judged significant, but not complete, progress to be made in completing a requirement; not complete = those where the progress made toward completion was minimal and not significant. The symbol “—” indicates that no requirements received this score. Source: GAO analysis of documentation from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency; the National Institute of Standards and Technology; and the Office of Management and Budget. | GAO-24-106343 GAO's High-Risk Series identified ten action areas critical to addressing the nation's cybersecurity challenges. The order's requirements directly address five of these ten critical action areas, while each of the other five could be addressed by other recently-issued strategies, frameworks, and guidance. For example, the cyber workforce and critical infrastructure action areas could potentially be addressed by the National Cyber Workforce Strategy and National Cybersecurity Strategy, if implemented effectively. In addition to the ten action areas, six federal chief information security officers (CISO) identified additional cyber issue areas they considered to be challenging, such as uncertainty in cyber funding, creating a culture that prioritizes cybersecurity as an essential mission component, and focus on cyber compliance versus cyber resilience. The order's requirements also address each of these additional cyber issue areas identified by CISOs. For example, the order addresses uncertainties in cyber funding by requiring OMB to assist agencies in having sufficient resources to implement its requirements. Why GAO Did This Study For more than 25 years, GAO has identified information security as a high-risk area. During this period, the threat of cyber-based attacks on IT systems has continued to grow. In 2021, the President issued Executive Order 14028 to enhance federal resilience in protecting IT systems. The order contains requirements for federal agencies to improve their ability to identify, protect against, and respond to malicious cyber threats. The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically report on agencies' progress in improving their cybersecurity practices. This report examines the extent to which (1) agencies have implemented Executive Order 14028 leadership and oversight-related requirements and (2) the order has addressed federal cybersecurity challenges. To do so, GAO identified government-wide leadership and oversight requirements in the order and the key agencies required to perform them. GAO then reviewed the agencies' implementation of those requirements. GAO also compared challenges identified in its work and in discussions with federal CISOs against the content of the order to determine whether they were addressed.

What GAO Found Mpox, a serious infectious disease caused by a virus in the same family as smallpox, experienced an unprecedented global outbreak in 2022. The Department of Health and Human Services (HHS) led the initial federal response in the U.S., beginning in May 2022. According to a White House press release, a White House mpox response team was established and assumed leadership of the federal response, and the Secretary of Health and Human Services declared mpox a public health emergency in early August 2022. The federal mpox response included providing vaccines to jurisdictions for the prevention of mpox, among other efforts. Timeline of Selected Mpox Response Activities and Number of Mpox Infectionsa aThe decline in daily mpox cases was likely due to the combined effect of events in figure above. The six states, the District of Columbia, and seven local jurisdictions GAO interviewed described challenges with HHS's initial response to mpox that were similar to those GAO identified in HHS's response to past emergencies. For example, jurisdictions noted challenges with communication and the availability of vaccines, tests, and treatments, among other problems. Similar persistent and recurring deficiencies led GAO to add HHS's leadership and coordination of public health emergencies to its High-Risk List in January 2022, calling for an HHS leadership commitment to transform its efforts. HHS—as the designated lead for the federal public health and medical response to emergencies—does not have a coordinated, department-wide after-action program to identify and resolve recurring emergency response challenges. While some component agencies within HHS have after-action programs, these agencies work independently without coordinating with each other, and do not always engage relevant external stakeholders in identifying challenges and associated solutions. GAO's past work has shown the benefits of coordination and including stakeholders when addressing challenges. Embracing a coordinated, department-wide after-action program for each response that includes external stakeholders would help HHS develop informed and comprehensive solutions. Such solutions should, in turn, strengthen HHS's ability to respond to future emergencies, including those that could be more infectious and lethal than mpox. Why GAO Did This Study State and local jurisdictions are often first to detect and respond to public health events. However, if their public health and medical capabilities need support, as with mpox, HHS is charged with coordinating federal assistance to supplement the response. GAO was asked to review the federal response to the mpox public health emergency. In this report, GAO (1) describes the federal response to the mpox outbreak, (2) assesses the extent to which the federal mpox response presented challenges similar to those experienced in past public health emergencies, and (3) assesses federal efforts to address recurring public health emergency challenges. GAO reviewed HHS documents and mpox infection data from May 18, 2022, to January 31, 2023. GAO interviewed officials from the Department of Homeland Security, HHS, and 14 selected jurisdictions (six states, the District of Columbia, and seven localities), chosen based on case rates and demographic and geographic diversity. GAO received written responses from the White House mpox response team. GAO also reviewed HHS after-action processes and documents.

What GAO Found The Committee on Foreign Investment in the United States (CFIUS) enters into agreements that require companies to mitigate national security risks stemming from foreign investment. Since 2000, the number of mitigation agreements has grown steadily, rising roughly fourfold in the last decade. The Departments of Defense and the Treasury manage the largest numbers of mitigation agreements. To mitigate risks—such as foreign investors' accessing certain sensitive data—CFIUS imposes various measures. For example, CFIUS might require the U.S. company to establish access controls for certain information systems. Number of Active CFIUS Mitigation Agreements, by Calendar Year, 2000–2022 Note: “Mitigation agreements” includes agreements listed in notes to fig. 4, GAO-24-107358. Selected CFIUS member agencies monitor compliance with mitigation agreements by, among other things, conducting site visits to companies and working with independent auditors and monitors. If a company violates an agreement, CFIUS can take enforcement action, including imposing monetary penalties. The Department of the Treasury, as the committee's chair, issued public guidelines on CFIUS penalties in 2022. But CFIUS does not yet have a documented committee-wide process for deciding on enforcement actions, which has led to challenges in responding to certain violations, according to officials. CFIUS also does not have a documented committee-wide process for reviewing agreements for continued relevance. Documenting such processes would help ensure CFIUS member agencies respond in a timely manner to violations and can focus their resources on mitigation agreements that remain relevant. Over the last decade, selected CFIUS member agencies have expanded staffing to monitor and enforce compliance with the rising number of mitigation agreements. Treasury plans to expand its monitoring capacity by approximately doubling its staff. But Treasury has not documented its objectives for this increase, which it based on an estimate rather than an assessment of its needs. Documenting these objectives would allow Treasury to assess whether the increased staffing enables it to meet them. Further, officials of other selected member agencies said their staffing levels affect their monitoring, and CFIUS has not previously coordinated on staffing. Regular staffing coordination would help ensure CFIUS member agencies can effectively monitor and enforce compliance. Why GAO Did This Study The U.S. is historically the world's largest recipient of foreign investment. This benefits the U.S. economy but can also present national security risks. CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the U.S. to identify risks to national security. To mitigate such risks, CFIUS has authority to enter into legal agreements with the companies involved and to monitor compliance with the agreements. Treasury serves as the committee's chair. GAO was asked to review issues related to CFIUS mitigation agreements. This report (1) describes trends in mitigation agreements from 2000 through 2022, (2) evaluates selected CFIUS member agencies' approaches to monitoring and enforcing compliance with mitigation agreements and reviewing them for continued relevance, and (3) assesses the selected agencies' staffing for monitoring and enforcement. GAO selected five member agencies on the basis of the number of mitigation agreements each agency manages. GAO reviewed laws, regulations, and agency guidance. GAO also conducted a nongeneralizable review of mitigation agreements and interviewed agency officials. This is a public version of a sensitive report GAO issued in January 2024. Information Treasury identified as sensitive has been omitted.

What GAO Found In this eighth annual review, GAO found that most federal agencies that could be subject to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended (IAA), have published civil monetary penalty inflation adjustments for 2023 in the Federal Register and reported related information in their 2023 or 2022 agency financial reports (AFR) or equivalent. However, one agency published its inflation adjustment in the Federal Register as of December 31, 2023, but did not report the required information in its 2023 AFR for its civil monetary penalties. Why GAO Did This Study The IAA includes a provision, added in 2015, for GAO to annually submit to Congress a report assessing agencies' compliance with the annual inflation adjustments the act requires. For more information, contact Paula M. Rascona at (202) 512-9816 or rasconap@gao.gov.

DOT administers billions of dollars in discretionary grants to improve transportation in the United States. To help ensure that DOT awards these grants to projects that best support needed improvements, the agency should implement our recommendations to enhance the clarity and transparency of its award processes. The Big Picture The nation's surface transportation system that moves both people and freight is aging and faces increasing demands on its use. Due to its potential impacts on public safety and economic growth, funding the nation's surface transportation system has been on GAO's High Risk list since 2007. The cost of repairing and upgrading the system continues to exceed the revenues available for improvements. As such, we have highlighted the importance of spending surface transportation funding wisely and efficiently. This is particularly true for the Department of Transportation (DOT), which provides funding to states and other eligible entities. DOT awards some of this funding through competitive (discretionary) grants. Typical DOT Discretionary Grant Application and Review Process The Infrastructure Investment and Jobs Act (IIJA) provided about $540 billion in funding for surface transportation for fiscal years 2022 through 2026. According to DOT, this included over $110 billion for DOT discretionary grant programs. We have recently reported on four of these programs. They received, in total, $24.5 billion in IIJA funding for fiscal years 2022 through 2026. These programs are: Rebuilding American Infrastructure with Sustainability and Equity (RAISE) ($7.5 billion), Infrastructure for Rebuilding America (INFRA) ($8 billion), Reconnecting Communities and Neighborhoods ($1 billion), and Capital Investment Grants (CIG) ($8 billion).  What GAO's Work Shows We reported that in fiscal year 2022 (the first year of IIJA funding), DOT awarded about $3.75 billion through the RAISE and INFRA programs. Award Totals for RAISE and INFRA Programs, by State and Territory, Fiscal Year 2022 Note: The total award amount shown on this map is about $3.75 billion. For fiscal year 2022, the INFRA program received funding from the IIJA and the RAISE program received funding from the IIJA and the Consolidated Appropriations Act, 2022. The map includes awards to all recipients within a state. As of April 2024, DOT announced an additional $5.2 billion (rounded to the nearest ten million) in awards in the next funding rounds for these two programs. $2.3 billion in awards for 162 projects throughthe RAISE program for fiscal year 2023. $2.9 billion in awards for 28 projects throughthe INFRA program for fiscal years 2023 and 2024. In work issued both before and after the passage of the IIJA, we found that DOT’s administration of discretionary grant programs did not always align with requirements set by the Office of Management and Budget and DOT, respectively, raising concerns over their consistency and transparency. For example: Inconsistent documentation. We found that while DOT generally followed the processes outlined in the notice of funding opportunity (NOFO) and its own internal guidance when evaluating INFRA applications, DOT did not consistently provide complete and accurate documentation on its evaluation process. This documentation would better ensure DOT’s consistent implementation of its policies as designed. Insufficient transparency. We found that DOT’s process for evaluating RAISE applications did not fully align with federal regulations and DOT guidance for ensuring the fairness and transparency of discretionary grant programs. For example, DOT did not publicly disclose two selection factors used to make award decisions in its NOFO. In addition, the Federal Transit Administration (FTA), which administers the CIG program, did not always provide project sponsors with clear information on its methods or the factors it considered when reviewing projects. Challenges and Opportunities From July 2020 through January 2024, we made 17 recommendations to improve the management of these four programs. As of February 2024, 16 of these recommendations remain open or partially open. Open recommendations include that: DOT identify all selection factors in its RAISE NOFO and document its specific rationale for not selecting certain projects; DOT establish quality control procedures to verify that its documentation is complete and clearly define its “exemplary project” criteria for advancing INFRA applications for potential selection; DOT establish performance measures for, and evaluate the results of, its Reconnecting Communities Pilot program; and FTA take steps to clarify the methods it uses and factors it considers when reviewing projects for CIG grants, and to communicate information to sponsors in a timely manner. Additionally, in 2016 we recommended that DOT issue department-wide requirements for discretionary grant programs. We made this recommendation based on finding similar documentation and transparency challenges in the administration of discretionary grant programs DOT awarded to improve the resilience of transit systems following Hurricane Sandy. We recommended requirements to document key decisions and to develop a plan for evaluating project proposals, including how the process will ensure a consistent review of applications. We subsequently designated this as a priority recommendation. In February 2024, DOT officials said that they are targeting the end of the calendar year to implement the recommendation. For more information, contact: Elizabeth Repko, RepkoE@gao.gov, (202) 512-2834.

What GAO Found Tactical and airport response plans and a federal interagency agreement describe the roles for responding to errant or malicious drone operations near airports. As described in these plans, local law enforcement authorities are expected to be the first to respond to a drone sighting. The federal government can assist in responding to an incident at an airport as outlined in the federal interagency agreement. The Departments of Homeland Security (DHS), Justice (DOJ), Defense, and Energy have express statutory authority to use counter-drone technologies if certain statutory criteria are met. They also have federal statutory exemptions from specified federal criminal laws that are potentially applicable to the use of such technologies. These technologies can be used at an airport by DHS and DOJ if the drone poses, for example, a credible threat to safety or security and the DHS Secretary or the Attorney General designates the airport for an emergency response. GAO concluded that modifications to statutory authorities for drone detection and counter-drone operations could better protect airports against an active drone threat. The Federal Aviation Administration (FAA) is testing drone detection and counter-drone technologies and is required to develop a plan for their use at airports. FAA is also pursuing several efforts to allow increased and routine drone operations. In various documents, FAA acknowledges the effects counter-drone technologies may have on other integration efforts but does not address how it will assess those effects. Including steps for this assessment in the agency's forthcoming drone integration strategy could help ensure that such technologies will work in harmony with FAA's other efforts, such as developing a drone traffic management system and rules for operating drones beyond operators' visual line of sight. Unauthorized Drone Flights Near Airports Present Safety and Security Threats This is a public version of a sensitive report that was issued in October 2023 and omits some information that DHS deemed sensitive. In some cases, the omitted information was, in part, the basis for GAO conclusions presented in this report. Why GAO Did This Study In recent years, FAA has reported a significant number of drone sightings at or near airports. FAA prohibits drone operations that interfere with airport operations. Whether errant or malicious, unauthorized drone flights around airports present safety and security threats and can result in flight delays. GAO was asked to review drone detection and mitigation issues at airports. This report examines (1) federal and local roles for responding to a drone incident at an airport, (2) federal legal authorities related to using drone detection and counter-drone technology at airports, and (3) FAA actions to plan for using the technology at airports and its effects on drone integration efforts. GAO reviewed relevant federal statutes, regulations, agency documents, and reports. GAO interviewed FAA and DHS, and 18 aviation, law enforcement, and other entities to obtain a range of perspectives. GAO also reviewed FAA planning documents to determine how counter-drone technologies were incorporated into FAA's drone integration efforts.

What GAO Found The U.S. Virgin Islands' (USVI) Government Employees' Retirement System (GERS) remains one of the lowest funded public pension plans in the United States, according to GAO's analysis of national data. These plans offer a lifetime benefit for government workers. While most public plans in GAO's review had sufficient expected assets to cover between 60 and 111 percent of plan liabilities as of 2021, GERS had enough to cover about 10 percent. To improve plan solvency, GERS has made changes to its plan since 2005—similar to eight other selected public plans, including in the four U.S. territories. These changes applied to all new hires and included decreasing benefits, increasing the retirement age, and increasing employee contributions. The USVI government secured additional funding for the plan through an excise tax on rum in April 2022. However, GERS continues to face the risk of insolvency. According to GAO's analysis, GERS may face insolvency within the next 10 years if the excise tax rate is lower than expected or if rum sales decline, among other risks. For example, the GERS' revenue projections for the excise tax used a $13.25 per proof gallon tax rate that expired in 2021 and reverted to a lower statutorily defined rate in 2022 ($10.50). While the USVI government has paid the resulting shortfall in 2023, it is not required and may not be sustainable. This could result in a long-term funding shortfall (see figure). GERS Funding Projections Using Different Excise Tax Rates on Rum According to interviews with stakeholders and plan officials, and literature GAO reviewed, a shared commitment between the government and the plan to ensure funding is adequate, resilient, achievable, and enforceable can help ensure a plan's promised benefits. The USVI government could consider several options to better ensure such benefits. For example, some governments have dedicated additional specific revenue streams, such as a portion of sales taxes, to their plans. In the past, GERS also received government funding for administrative expenses. The Department of the Interior can provide limited technical assistance upon request, such as for examining strategies to address risks. Why GAO Did This Study GERS is a defined benefit pension plan that covers all USVI government employees and retirees. It includes nearly 19,000 participants. The plan has historically been underfunded by the USVI government. In 2021, GERS actuaries projected that the plan would be insolvent by March 2025. The USVI government has made changes to the plan over the years to maintain its solvency, including providing GERS with additional funding in 2022. However, the plan continues to face uncertainties. GAO was asked to review the financial position of GERS. This report describes (1) how GERS compares with other public defined benefit pensions regarding funding and benefits, (2) risks GERS faces in being able to pay promised pension benefits, and (3) options for the USVI government and GERS to better ensure GERS provides promised pension benefits. GAO analyzed 2021 data on the characteristics of selected public pension plans from the Center for Retirement Research at Boston College, as well as 2021 and 2022 GERS data from the USVI government. In both cases, these were the most recently available data at the time of GAO's analysis. GAO reviewed publicly available information from eight public pension plans, selected to represent a mix of plan size and funding status. GAO also reviewed information from GERS actuaries and investment consultants and from relevant literature. GAO interviewed USVI and GERS officials; stakeholder groups such as actuary, state retirement administrator and other associations; and Department of the Interior officials. For more information, contact Tranchau (Kris) T. Nguyen at (202) 512-7215 or nguyentt@gao.gov, or Frank Todisco at (202) 512-2700 or todiscof@gao.gov.