What GAO Found All five urban hospitals included in GAO's review experienced financial decline characterized by financial losses or declining profits in the 5 years leading to their closure. For instance, one hospital filed for bankruptcy under three different owners within 5 years prior to its closure. Several other factors contributed to hospital financial decline and closure such as aging physical infrastructure, low inpatient volume, challenges operating as independent hospitals, poor management practices, and separate ownership interests. Factors Contributing to Closure of Five Selected Urban Hospitals in 2022 or 2023 The availability of health care services shifted or decreased in the communities of all five hospitals after the hospitals closed. Specifically, two hospitals continued providing outpatient services after closing their inpatient services, and other providers in their communities adjusted their service availability by, for example, expanding inpatient capacity, according to stakeholders. The other three hospitals ceased all health care services when they closed. After two of them closed, the decline in service availability affected nearby hospitals and community residents. For example, one hospital's closure reduced the availability of emergency and inpatient services in the part of the city where it was located, which exacerbated pre-existing access to care challenges for community residents, according to stakeholders. Stakeholders for all five hospitals identified ongoing challenges with access to health care that some residents in their communities continued to experience after the closures. For example, even though the community residents had several options to seek health care after the hospitals closed, some residents lacked adequate transportation to reach alternative facilities or lacked access to primary care providers, according to stakeholders. Why GAO Did This Study Hospitals play a critical role in delivering health care services to their communities. Approximately half of U.S. hospitals are in urban areas, and closures of urban hospitals outpaced new openings from 2019 to 2023. GAO and others have previously reported on hospital closures in rural areas, but few studies have been conducted on the closure of urban hospitals. GAO was asked to examine the bankruptcy and closure of health care facilities. This report describes the closure of five selected urban hospitals, specifically: (1) the financial conditions and other factors that contributed to their closure and (2) how health care service availability in communities changed after their closure. GAO selected a nongeneralizable sample of five hospitals in urban areas that closed in 2022 or 2023. These five selected urban hospitals reflect variation in geographic region, ownership type (for-profit vs. nonprofit), and whether the hospital provided outpatient services after it closed. GAO analyzed financial data on each hospital from the Department of Health and Human Services and reviewed relevant documents including information provided by selected hospitals and publicly available information such as court documents or community health needs assessments. GAO interviewed representatives from these selected hospitals and other stakeholders, such as representatives from nearby hospitals, other health care providers, community organizations, state hospital associations, and local government officials. In addition, GAO visited two selected hospitals. For more information, contact Leslie V. Gordon at GordonLV@gao.gov.

What GAO Found Medicaid section 1115 demonstrations enable states to test new approaches to providing Medicaid coverage and services. In October 2020, the Centers for Medicare & Medicaid Services (CMS) approved Georgia’s demonstration that expanded coverage of the adult population contingent on individuals meeting requirements to work or participate in other activities, such as training. Under the demonstration, individuals must meet these work requirements as part of the initial eligibility determination and through monthly reporting. After a 2-year delay while litigation related to the demonstration was pending, Georgia opened enrollment for the demonstration in July 2023. Implementing the demonstration required a number of changes to the state’s eligibility and enrollment systems, additional outreach efforts, and other administrative activities. Administrative spending for the demonstration was $54.2 million out of the $80.3 million in total demonstration spending in the first 4.5 years, according to data reported by Georgia to CMS. The majority of the administrative spending ($47.4 million or about 88 percent) was financed by federal dollars. The federal government generally provides 50 percent of the funds for administrative activities (referred to as a 50 percent matching rate), but pays for up to 90 percent of certain administrative costs, including for IT system changes. Reported Administrative Expenditures Under Georgia’s Medicaid Demonstration, Fiscal Year 2021 Through Second Quarter of Fiscal Year 2025 Notes: Total demonstration spending for this period was $80.3 million. States generally have up to 2 years to report an expenditure, including any prior period adjustments. Data reflect expenditures, including any prior period adjustments, reported as of May 20, 2025. GAO found weaknesses in CMS’s consideration and oversight of administrative spending. No consideration during demonstration approval. CMS did not request and Georgia did not provide estimates of administrative costs during the approval process despite the agency’s policy that Medicaid demonstrations not increase federal spending over what would have been spent absent the demonstration. Approved spending at higher federal matching rates than appeared allowable. CMS approved spending for activities such as for monitoring reports, a media strategy, and branding at a 90 percent federal matching rate reserved for developing and implementing changes to IT systems. These findings are consistent with concerns GAO raised in 2019, which GAO made recommendations to address. GAO found that CMS’s demonstration approval process does not take into account the extent to which demonstrations will increase administrative costs, and that CMS provided federal funds for costs that may not have been allowable or at inappropriately high matching rates. Addressing the latter will become more important as states implement work requirements in response to legislation enacted on July 4, 2025. Why GAO Did This Study Section 1115 demonstrations are a significant component of Medicaid spending. In 2018, CMS began allowing states to test work requirements under demonstrations, but most states’ demonstrations were later terminated as a result of litigation or by CMS. The exception was Georgia where work requirements remain in place. Implementing work requirements can involve various administrative activities, with states receiving federal funds for up to 90 percent of spending for certain activities. GAO was asked to examine the administrative costs of Georgia’s demonstration testing work requirements. This report describes the (1) types and (2) amount of administrative spending for Georgia’s demonstration. It also examines the extent to which CMS considered administrative costs at approval, and the agency’s oversight of administrative spending after approval. GAO reviewed demonstration expenditure data for fiscal year 2021 through the second quarter of fiscal year 2025, demonstration documentation, and past GAO findings and related recommendations. GAO also interviewed officials from CMS and Georgia.

What GAO Found For the seventh consecutive year since the Department of Defense (DOD) was required to undergo full-scope audits, DOD received a disclaimer of opinion on its financial statement audit in fiscal year 2024, meaning DOD could not provide auditors with sufficient, appropriate evidence needed to support information in its financial statements due to ineffective systems and processes. The National Defense Authorization Act for Fiscal Year 2024 requires DOD to receive an unmodified (clean) audit opinion by December 31, 2028. DOD’s balance sheet, a principal financial statement, is a snapshot of its financial position at a point in time—showing its assets (what it owns) and liabilities (what it owes). Reliable balance sheet data support informed decision-making and improve mission operations. In fiscal year 2024, DOD’s balance sheet included information from 67 DOD components, making consolidation a complex process. Although DOD received a disclaimer of opinion on its DOD-wide financial statements in fiscal year 2024, 11 DOD components received clean audit opinions. These components contributed $1.8 trillion of DOD’s total reported assets (42.8 percent) and $3.1 trillion of its reported liabilities (72.2 percent). However, nearly all of DOD’s total reported assets attributable to components with clean opinions related to the Military Retirement Fund. Similarly, nearly all assets attributable to components that received disclaimers of opinion related to the Army, Navy, and Air Force. Percentage of DOD’s Total Reported Assets Related to Each Type of Audit Opinion at the Component Level, Fiscal Year 2024 Additionally, in fiscal year 2024, DOD’s Office of Inspector General identified 28 DOD-wide material weaknesses, which hinder sustainable business processes and a functioning internal control environment for its financial management operations. GAO’s analysis showed that several identified DOD-wide material weaknesses directly affected $2.1 trillion (50.3 percent) of DOD’s reported assets and $146.9 billion (3.4 percent) of its reported liabilities, indicating that there is an increased risk that these amounts are materially misstated. However, pervasive material weaknesses may affect all balance sheet data. Why GAO Did This Study DOD reported over $4.1 trillion in assets on its balance sheet as of September 30, 2024. DOD’s assets represent a significant portion of the federal government’s reported total assets. The ability to properly account for and report these assets would improve DOD’s ability to successfully carry out its mission and is critical to achieve an unmodified (clean) audit opinion. However, DOD remains the only major federal agency that has yet to receive a clean audit opinion on its financial statements. This not only impedes DOD’s financial transparency but that of the U.S. government as a whole. DOD’s financial statement audits promote accountability and transparency in how DOD manages its money and help identify financial and operational issues. DOD obtaining a clean audit opinion is important to ensure that information in its financial statements is reliable for informed decision-making. This report, developed in connection with our mandate to audit the U.S. government’s consolidated financial statements, provides insight on the auditability of DOD’s balance sheet as of September 30, 2024. This report presents information on (1) component audit opinions as they relate to DOD’s reported total assets and liabilities and (2) DOD-wide identified material weaknesses as they relate to reported total assets and liabilities. GAO reviewed the fiscal year 2024 agency financial reports for DOD and its components to determine which audit opinions each received and what identified material weaknesses were present DOD-wide and at the component level. GAO analyzed the amounts (1) related to each type of audit opinion at the component level and (2) directly affected by identified material weaknesses. For more information, contact Asif A. Khan at khana@gao.gov.

What GAO Found Service organizations provide centralized services, such as payroll, to user entities (customers) that are important for managing the Department of Defense's (DOD) financial operations. Customers retain responsibility for the processes involved in these services. Therefore, customers and their financial statement auditors need to understand the design and operating effectiveness of service organizations' controls over such processes. System and Organization Controls 1 (SOC 1) reports can help them do so. SOC 1 reports give service organizations a basis for improving their operating processes and controls by identifying deficiencies. They can also provide customers and their financial statement auditors reasonable assurance about whether a service organization's controls described in the report were suitably designed and operated effectively to achieve the control objectives. GAO found that the number of DOD's service organization SOC 1 reports issued for fiscal years 2020 through 2024 ranged from 25 (2020) to 30 (2023). Additionally, the SOC 1 audit opinions, which were either unmodified (or clean) or modified, changed over this period. The deficiencies that contributed to modified audit opinions were primarily in the areas of logical access controls (which limit access to data and IT), configuration management (which identifies and manages changes to IT), segregation of duties (which ensures that one individual does not control all critical stages of a process), and processing controls (which ensure that IT transactions are authorized and errors are resolved). Further, service organization officials identified ongoing challenges in achieving unmodified audit opinions on their SOC 1 reports, such as transitioning to a new inventory management system. To address the identified deficiencies, most of the service organizations whose SOC 1 reports GAO selected for further review had performed root cause analyses; however, the methods used to document their analyses varied. In response to a GAO recommendation, in January 2025, DOD updated its guidance instructing DOD service organizations to document root cause analysis. This will help ensure that service organizations are taking appropriate actions to resolve the underlying causes of deficiencies identified in SOC 1 reports. GAO will monitor DOD's implementation of this guidance. In addition to updating guidance on root cause analysis, to address DOD's Service Organizations material weakness, the Office of the Under Secretary of Defense (Comptroller) has, among other things, developed a standard operating procedure to help customers monitor their service organizations. Why GAO Did This Study DOD has the largest discretionary budget authority of any agency in the federal government—$920 billion in fiscal year 2024.Yet it is the only major federal agency to have never achieved an unmodified audit opinion on its agencywide financial statements. For fiscal year 2024, DOD's agencywide financial statement auditor reported 28 material weaknesses in internal control over financial reporting, including one related to DOD's use of service organizations. This report discusses auditors' opinions in DOD service organizations' fiscal years 2020 through 2024 SOC 1 reports and the actions DOD service organizations took to address any deficiencies identified in those reports. GAO is also providing information on DOD's efforts to address its Service Organizations material weakness. GAO reviewed DOD's policies and procedures related to the SOC 1 process and service organization SOC 1 reports for fiscal years 2020 through 2024. Additionally, to evaluate actions that DOD service organizations have taken to address the deficiencies, GAO selected eight DOD SOC 1 reports for further review. GAO also interviewed DOD, service organization, service auditor, and customer officials. For more information, contact Asif Khan at khana@gao.gov.

Why This Matters In 2004, the National Nuclear Security Administration (NNSA) began plans to replace buildings at its Y-12 in Oak Ridge, Tennessee to support processing uranium for nuclear weapons and naval reactor fuel. NNSA expects the new Uranium Processing Facility to be fully operational in 2034. Until then, NNSA will continue using Building 9212, which was built in 1945 and predates modern safety codes. GAO Key Takeaways NNSA received approval to re-baseline its Uranium Processing Facility project in December 2024 at a cost estimate of $10.35 billion—adding nearly $4 billion and an 8-year delay to reach full operations. In January 2023, NNSA identified root causes and factors contributing to the cost increases and schedule delays. For example, NNSA found poor contractor performance, late notice of cost overruns, and limited workforce availability. NNSA’s contractor estimates that it will costs about $463 million to safely continue operations in Building 9212 until 2035—about a year after the new facility is expected to be fully operational. Some NNSA officials acknowledged increasing risks of continuing to rely on this building, which has degrading infrastructure and does not meet modern nuclear safety codes for earthquakes or high-wind events. NNSA has a comprehensive plan to continue safe operations in other aging buildings that were originally planned for replacement by the new facility but were scoped out of the project in 2012. In contrast, NNSA does not have a comprehensive plan to safely operate Building 9212 to accommodate the new facility’s delay. A plan would provide consistent information to better manage tradeoffs and address risks to continued safe operations in Building 9212. The New Uranium Processing Facility Under Construction at Y-12 National Security Complex, Tennessee How GAO Did This Study We reviewed NNSA’s 2023 root cause analyses related to project cost and schedule overruns. We analyzed information on the impact of the project delay on NNSA’s mission. We conducted a site visit to the Y-12 National Security Complex to observe construction of the new facility and conditions at existing buildings.

What GAO Found All 23 Joint Professional Military Education (JPME) programs GAO surveyed reported that they include varying degrees of nuclear deterrence content in their intermediate- and senior-level curricula, including incorporating mandatory topics identified in JPME guidance. However, the Department of Defense (DOD) has not explicitly defined nuclear deterrence in the guidance to help JPME programs develop nuclear deterrence content. Including an explicit definition of nuclear deterrence in the guidance could help JPME program officials facilitate a shared understanding of the concept, which would better prepare JPME students for joint assignments related to nuclear deterrence missions. Selected Defense Schools’ Core Courses at the Intermediate- and Senior-Levels with Nuclear Deterrence Content College or university Number of core courses Number of core courses with nuclear deterrence content National Defense University 37 12 National Defense University - Joint Forces Staff College 10 7 National Intelligence University 5 1 Army Command and General Staff College 17 5 Army War College 29 6 Naval War College 10 4 Air University 30 19 Marine Corps University 28 9 Space Force - Johns Hopkins University School of Advanced International Studies 13 8 GAO analysis of DOD information provided in response to GAO survey. | GAO-25-107416 In response to DOD requirements, JPME programs have begun developing learning outcomes and objectives for their JPME curricula that include a focus on nuclear topics, such as nuclear deterrence. However, GAO found the time frame for the JPME programs to implement DOD’s outcomes-based military education system is unclear, and the military services had varying understandings of the required time frame for implementation ranging from 2027 to 2029. Setting a specific time frame for full implementation of its outcomes-based military education system could help DOD implement the effort and meet the educational needs of the joint force for contemporary nuclear deterrence. Why GAO Did This Study The 2022 Nuclear Posture Review emphasizes the importance of supporting the professional development of service members working in and supporting the nuclear field. Additionally, DOD has recently shifted from a topics-based approach to an outcomes-based approach to monitor and assess student learning for key topics covered in JPME curricula, including nuclear deterrence. A Senate Armed Services Committee report accompanying a bill for the National Defense Authorization Act for Fiscal Year 2024 included a provision for GAO to assess DOD’s JPME system, including the curriculum involving nuclear deterrence. GAO evaluated, among other things, the extent that JPME programs have 1) included nuclear deterrence content in JPME, and 2) developed learning outcomes that include nuclear deterrence. For this report, GAO reviewed JPME programs’ curricula and conducted a web-based survey of the education institutions that manage the 23 intermediate- and senior-level JPME programs. GAO also reviewed policy, guidance, and other documents, and interviewed cognizant officials.

What GAO Found According to data provided by Department of Defense (DOD) components, DOD has established almost 440 organizations that contain about 61,000 military and civilian personnel (and over 9,500 contractors), to conduct cyberspace operations. These organizations are most often aligned with U.S. Cyber Command (CYBERCOM) or retained by the military services and conduct a mixture of offensive, defensive, and DOD Information Network operations (see figure). CYBERCOM-aligned organizations include organizations such as Navy cyber strike activities and Army cyber protection battalions that oversee tactical Cyber Mission Force teams. Military service organizations include units such as Air Force communications squadrons and Marine Corps radio battalions. Other organizations include cybersecurity service providers that provide network protection services to non-service components, such as the Defense Threat Reduction Agency and the Defense Advanced Research Projects Agency. Department of Defense Organizations Conducting Cyberspace Operations To enable organizations conducting cyberspace operations, each unit is supported by organizations providing budgetary, personnel, policy, and training support. GAO identified 70 organizations and about 3,400 personnel that provide support to cyberspace operations. These include the Office of the Secretary of Defense, military department, and service headquarters, and other organizations. GAO found that some of the functions of these organizations may overlap. These include training courses the military services provide to organizations conducting cyberspace operations and the administration of DOD’s 23 cybersecurity service providers that conduct cybersecurity for DOD organizations. Although some overlap can be intentional and appropriate, unnecessary overlap can lead to organizations paying for the same service or product twice or more. As DOD considers the future organization and composition of its cyberspace operations forces, it will be important to take steps to reduce cost and inefficiencies while maintaining mission effectiveness. Why GAO Did This Study The U.S. and its allies face sophisticated cyber threats from both state and nonstate actors. To counter these threats, DOD conducts cyberspace operations to defend the nation, support allies and partners, and protect its DOD Information Network. Conference Report 118-301 includes a provision for GAO to review DOD’s management of cyberspace operations. GAO (1) identified the type and number of organizations and personnel that conduct cyberspace operations and (2) evaluated the extent to which there is overlap between organizations that provide budgetary, personnel, policy, or training support for cyberspace operations. GAO reviewed relevant documents, including DOD guidance, Secretary of Defense memorandums, and organizational command briefs. GAO collected and analyzed data from 434 organizations conducting and 70 organizations supporting cyberspace operations that were identified with DOD. GAO also interviewed relevant officials, such as those from the offices of the DOD and the military services’ principal cyber advisors.

What GAO Found The Federal Emergency Management Agency (FEMA) administers the Port Security Grant Program (PSGP), in coordination with the U.S. Coast Guard. This risk-based grant program provides funds to public and private sector entities to implement security plans and correct Coast Guard-identified vulnerabilities at U.S. ports. From fiscal year 2018 through 2024, FEMA awarded more than half of the $690 million in grant funds to eight port areas, and 82 port areas across the U.S. received funds. Three project types received 59 percent of grant funds from fiscal year 2021 through 2024: response vessels ($88.2 million), surveillance cameras ($76.1 million), and cybersecurity ($64.0 million). FEMA also awarded funds for other project types including communication equipment, physical security, and training. Examples of Projects Funded by the Port Security Grant Program FEMA and the Coast Guard have processes to evaluate grant applications and make award recommendations. However, the grant announcement does not include a description of all criteria used in these processes, as federal regulations require. Specifically, the fiscal year 2024 grant announcement does not (1) fully or accurately describe the scoring criteria used in the Coast Guard-led portion of the application evaluation process or (2) describe all factors other than merit criteria that FEMA may use in selecting applications for award, such as the five percent of funds set aside for highly effective projects in lower-risk ports. Adding this required information to the grant announcement could improve transparency and fairness for applicants and help them put forward applications better aligned with the evaluation criteria FEMA uses when awarding PSGP funds to enhance port security. Further, FEMA has not fully assessed the application evaluation process to ensure that its outcomes achieve the program’s multiple goals—funding projects in high-risk port areas; prioritizing projects aligned with national priorities; and funding highly effective projects in lower-risk port areas. For example, projects aligned with a national priority receive a 20 percent score increase, but FEMA has not assessed whether that increase leads to funding more projects aligned with national priorities. Assessing each step of the evaluation process could help FEMA ensure that the process leads to results aligned with FEMA’s program goals. Why GAO Did This Study U.S. ports are critical to the economy, and any disruption in maritime operations—such as an attack on a port—can impact the supply chain and the U.S. economy. GAO was asked to examine FEMA’s management of PSGP. This report examines the types and locations of projects awarded PSGP funds from fiscal year 2018 through 2024 and the extent FEMA followed required and recommended practices for grants, among other objectives. GAO analyzed FEMA and Coast Guard’s grant and scoring data from fiscal years 2018 through 2024, reviewed FEMA and Coast Guard program documents, and interviewed FEMA and Coast Guard officials. GAO visited two ports to gather port stakeholders’ perspectives on PSGP and observe projects that received PSGP funding. GAO also interviewed port stakeholders from nine Coast Guard-led maritime security committees.

Why This Matters For over 25 years, GAO has recommended actions that the Department of Defense and other federal agencies should take to improve their most complex and costly acquisition programs, saving taxpayers tens of billions of dollars. Most recently, this work has emphasized structuring acquisition programs around iterative development—a process stemming from Agile software development that leading companies use to develop innovative, value-added products that respond quickly to users’ needs. Such leading practices offer proven approaches that can inform improvements to agencies’ acquisition of complex systems. A sound technical process is not the only driver for the consistent pattern of success that characterizes leading companies’ product development. Leading companies employ equally robust business processes to initiate, justify, and prioritize their investments in innovative products such as semiconductors and industrial automation systems. Key Takeaways Leading companies employ a forward-looking, agile approach to managing the overall mix of products, or product portfolios, through recurring processes. Leading Companies Manage Product Portfolios Through Recurring Processes Leading companies continually interact with business cases—collections of information that justify undertaking product development efforts. For example, based on regular assessments of business case data, portfolio managers may decide to add resources to improve weaker performing products or discontinue outdated products that impede demand for updated versions. Continually updating portfolios based on business case data enables leading companies to optimize their investments and ensure portfolios are responsive to the company’s strategic vision and evolving user needs. Leading companies also apply an iterative process to developing their business cases for individual products. This is a departure from the traditional business case process that locks in a new product’s cost, schedule, and performance baseline from the start. As they gain knowledge, leading companies continually improve the business case for a new product and update key elements to capture changes in user needs, technology readiness, and markets. Leading Companies Iteratively Develop Business Cases Leading companies systematically reassess business cases’ key elements—market and user needs, product definition, internal value, and target schedule—at least every 6 months to avert problems sooner. They make investments only as products demonstrate progress and business cases warrant further funding. For example, they reserve the largest allocations until they have validated a design for the minimum viable product—one that includes the minimum capabilities needed for customers to recognize value. Leading Companies Scale Investment as the Business Case Evolves How GAO Did This Study This report is the third of a series on product development leading practices—preceded by GAO-22-104513 and GAO-23-106222—and responds to three congressional reports with requests related to acquisition leading practices, portfolio management, and requirements. It examines the practices selected leading companies employ to guide product development investments. GAO identified eight companies based on rankings in well-recognized lists, interviewed company representatives, and analyzed documentation. For more information, contact Shelby S. Oakley at oakleys@gao.gov.

What GAO Found The Department of Defense (DOD) has realized many benefits from its financial statement audits. For example, the DOD Office of Inspector General (OIG) reported that DOD's fiscal year 2024 remediation plans included the retirement of 89 outdated information systems and will result in savings of at least $760 million annually through fiscal year 2029. However, DOD still needs to make substantial progress in remediating its pervasive deficiencies, which auditors call material weaknesses. Although DOD's auditors downgraded one material weakness related to contingent legal liabilities, they identified a new one related to DOD's reporting of leases, resulting in no net change. Better financial management is critical to DOD's mission readiness, and it is important to demonstrating that DOD's financial statements and underlying financial information are reliable for decision-making. These audits help DOD to assess what is performing well and what areas still need improvement. For example, DOD OIG reported that DOD addressing its asset accountability challenges will provide leadership with more accurate information to assist in making operational decisions. The OIG noted that accurate asset data enable informed decisions about maintenance, replacement, and disposal, leading to better resource allocation and long-term planning. This in turn improves operations and helps better ensure optimum use of resources to support warfighter priorities. The National Defense Authorization Act for Fiscal Year 2024 mandates that the Secretary of Defense ensure that DOD receives a clean audit opinion on its financial statements by no later than December 31, 2028. In response, DOD reported that it realigned each reporting entities' roadmap. These roadmaps guide the implementation of corrective measures and establish milestones against which entities can measure progress, to accelerate audit progress and achieve the December 2028 mandate. Why GAO Did This Study DOD is responsible for about half of the federal government's discretionary spending and about 82 percent of the federal government's reported total physical assets. As of fiscal year 2024, DOD remains the only major federal agency that has never been able to receive a clean audit opinion on its financial statements. The Marine Corps received a clean audit opinion on its fiscal year 2023 financial statements, becoming the first military service to ever do so, and again receiving a clean audit opinion for fiscal year 2024. However, DOD and many of its component reporting entities' fiscal years 2018 through 2024 financial statement audits resulted in disclaimers of opinion. It is important for DOD to obtain a clean audit opinion to demonstrate that its financial statements and underlying financial information are reliable for decision-making and efficient and effective operations. In this Q&A report, GAO describes the audit approaches undertaken by the independent public accountants and results of DOD's and the military services' fiscal year 2024 financial statement audits, as well as DOD's planned timelines for addressing key audit findings. GAO reviewed relevant DOD, DOD OIG, and military service independent public accounting documentation and reports, as well as memorandums and status reports, and interviewed officials. GAO also analyzed DOD's and the military services' fiscal years 2023 through 2025 audit roadmaps as well as certain detailed project plans, which included milestones for certain corrective actions. For more information, contact Asif A. Khan at khana@gao.gov.

What GAO Found The Internal Revenue Service (IRS) reported that most of the projects associated with its 23 modernization programs were delivered on schedule for fiscal year 2024. In addition, IRS reported that it spent approximately $1.5 billion, $512 million less than it had originally planned for those programs. Specifically, 16 of the 23 programs had cost variances ranging from $5 million to $78 million in unspent funds. Best practices identified in prior GAO work call for documenting modernization plans that include: (1) milestones for completing the modernization, (2) a description of the work to be performed, and (3) details on the disposition of legacy systems, if applicable. GAO found that IRS documented plans for the 23 IT modernization programs active as of September 2024 and that most of the plans addressed the key elements. Specifically, 20 of the 23 plans fully addressed the first two elements, and three plans partially addressed those elements (see table). In addition, 10 programs fully addressed the third element, and two did not address it. GAO Assessment of the Internal Revenue Service’s Modernization Program Plans as of September 2024 Modernization plan element Yes Partially No Not applicable Includes milestones 20 3 0 0 Describes work to be performed 20 3 0 0 Includes disposition of legacy systems 10 3 2 8 Legend: Not Applicable = No corresponding legacy system to be retired. Source: GAO analysis of Internal Revenue Service data. | GAO-25-107611 Federal strategic planning guidance calls for agencies to align their programs with strategic goals and objectives. Consistent with this guidance, IRS aligned its modernization programs with its IT strategic goals and objectives. However, in March 2025 IRS told GAO that it had paused its modernization programs because it was reevaluating its priorities. The agency subsequently shared a draft modernization framework it was developing that included nine initiatives that it planned to pursue instead of the 23 programs. The nine are designed to meet specific technology demands, such as a unified application program interface. According to a June 2025 Taxpayer Advocate report to Congress, to enable this reprioritization, many projects continue to be paused or have been canceled. As IRS fully develops its new IT modernization framework, it will continue to be important for the agency to (1) align new initiatives with documented agency strategic objectives, and (2) have program plans that address key elements. In addition, for the 23 programs that IRS was previously pursuing, it is also important that IRS consider the usability of the work performed to date. Why GAO Did This Study IRS relies extensively on IT to annually collect trillions of dollars in taxes, distribute hundreds of billions of dollars in refunds, and carry out its mission of providing service to America's taxpayers in meeting their tax obligations. In August 2022, Congress appropriated approximately $4.8 billion through the Inflation Reduction Act of 2022 to IRS for business systems modernization. The appropriated amounts are to remain available through the end of fiscal year 2031. For fiscal year 2024, IRS spent about $5 billion on IT, including $1.5 billion on modernization programs reported to Congress. Applicable Appropriations Committee reports include a provision for GAO to review IRS’s IT programs. GAO’s report (1) summarizes IRS’s fiscal year 2024 cost and schedule performance for its modernization programs, and (2) determines whether IRS had developed modernization program plans consistent with best practices and aligned with its strategic vision. GAO summarized IRS’s reported planned versus actual cost and schedule for its modernization programs delivered in fiscal year 2024, as reported in quarterly status reports to Congress. In addition, GAO analyzed fiscal year 2024 modernization program plans to determine the extent to which they met best practices. GAO also interviewed relevant IRS officials.

What GAO Found The State Department is responsible for investigating and reporting end-use violations to Congress—that is, foreign partners’ violations of requirements for the purpose, transfer, and security of defense articles and services they received from the U.S. government. State relies primarily on the Department of Defense (DOD) to identify incidents that could constitute violations. As of February 2025, DOD was tracking more than 150 incidents, many of them detected by DOD security cooperation organizations (SCO) at diplomatic posts. However, GAO found State has not provided clear guidance to DOD defining the types of incidents that warrant State’s attention. Without such guidance, SCO officials told GAO they exercise professional judgement in deciding whether to inform State about incidents. As a result, State may be unaware of potential violations it needs to investigate. Further, State’s investigations of potential end-use violations are inconsistent, in part because its guidance for conducting investigations does not establish required actions or time frames. For example, for one potential violation, State officials gathered information, reviewed transfer agreements, and worked with SCO officials to resolve it. For another potential violation, State officials did not take any action. Moreover, State has not consistently documented the status or findings of its investigations since 2019. As a result, State does not have readily available information about foreign partners’ compliance with arms transfer agreements. Such information could inform decisions about future arms sales. In addition, State has not shared its findings with SCO officials, who could implement measures to address violations or prevent their recurrence. Status of State Department Investigations Is Missing for Many Incidents That Potentially Violated U.S. Arms Transfer Agreements as of February 2025 Since 2019, State has reported three end-use violations to Congress, but State cannot show that it determined whether most known incidents met legal reporting criteria. Under law, State is required to report to Congress (1) substantial violations of purpose, transfer, and security requirements that may have occurred and (2) any unauthorized transfers that did occur. State documented in memorandums its determinations for three incidents. However, State officials could not provide similar documentation for more than 150 others. State officials said they do not have formal procedures for determining whether incidents meet the reporting criteria or for recording these determinations. Without guidance establishing such procedures, State cannot ensure it is reporting to Congress in accordance with the law. As a result, Congress may not have information to support oversight, such as considering legislation to prohibit transfers of defense articles and services to foreign partners that have violated their agreements. Why GAO Did This Study To enhance U.S. national security, the U.S. government provides defense articles and services, such as weapons and military training, to dozens of foreign partners around the world. Recipients agree to comply with legal end-use requirements that prohibit using the provided articles or services for unauthorized purposes, transferring them to unauthorized entities, and failing to keep them secure. Congress included a provision in House Report 118-301 for GAO to review State and DOD procedures related to alleged violations of relevant end-use requirements of defense articles and services. This report examines the extent to which (1) State and DOD identify and track potential violations, (2) State investigates potential violations and communicates its findings to agency stakeholders, and (3) State reports appropriate incidents to Congress. GAO reviewed laws and agency policies for guidance on identifying, investigating, and reporting potential violations to Congress. GAO also analyzed documentation and information about potential violations, State’s investigations, and its reports to Congress. In addition, GAO interviewed agency officials in the U.S. and at 10 diplomatic posts, including during visits to five countries that GAO selected to reflect an array of incident types and geographic locations.

Why This Matters Medicaid section 1115 demonstrations allow states to test new approaches for delivering services and have become a significant feature of the program. The Centers for Medicare & Medicaid Services (CMS) policy is for demonstrations to be budget neutral (i.e., not raise costs for the federal government). We have previously recommended CMS use valid methods to determine budget neutrality. GAO Key Takeaways Federal spending on Medicaid demonstrations nearly doubled from 2013 through 2023—the latest available data. CMS sets spending limits for each demonstration that are intended to ensure that demonstrations are budget neutral. The limits are based on projections of what Medicaid would have spent without the demonstration. The higher the projected spending, the higher the spending limit. In 2021, CMS began requiring states to use recent spending data rather than outdated historical spending projections when calculating spending limits—a method that better ensures budget neutrality. We estimated that this reduced potential federal spending by about $123 billion for two selected demonstrations. However, in 2022, CMS adjusted this policy and allowed spending limits to partially reflect outdated historical spending projections. This increased potential federal spending by an estimated $17 billion in three selected demonstrations. Also in 2022, CMS began allowing spending limits to include certain costs for services to address health-related social needs, such as housing assistance. Some of these costs could not have occurred absent the demonstration because they are not allowable under Medicaid. This increased potential federal spending by almost $4 billion in five selected demonstrations and did not ensure budget neutrality. Federal Expenditures Under Medicaid Demonstrations Note: Expenditures are adjusted for inflation. How GAO Did This Study We analyzed CMS expenditure data on Medicaid demonstration spending. We reviewed CMS policy changes from 2020 through 2024 and approval documents for six state demonstrations, selected for variation in approval dates. We estimated how the changes in CMS policies would affect federal spending.

What GAO Found The Department of Defense (DOD) is developing the National Background Investigation Services (NBIS)—an IT system for conducting background investigations for most federal agencies and over 13,000 industry organizations that work with the government. However, delays have hindered NBIS deployment. DOD initially planned for NBIS to be fully operational in 2019 and changed its deadline several times. It now projects major development to be complete by the end of fiscal year 2027. DOD’s Missed Deployment Targets for the National Background Investigation Services (NBIS) Program, as of August 2025 DOD paused the NBIS program in 2024 and has since taken a new approach to its management and oversight of the program. In March 2024, DOD appointed a new Defense Counterintelligence and Security Agency (DCSA) director and NBIS program manager and subsequently revised its previous plans to develop an entirely new IT system. As of September 2025, DOD plans to migrate personnel vetting data to the cloud and modernize legacy systems. DOD also transferred some authority over the NBIS program to the Office of the Under Secretary of Defense for Acquisition and Sustainment in early 2024 as part of its efforts to address NBIS delays, cost overruns, and technical issues; and it created the NBIS Requirements Governance Board to regularly review the program. GAO is currently reviewing DOD’s new schedule and cost estimate for NBIS following recent reforms. In contrast to its past approach, DCSA has stated that it intends to meet all of GAO’s scheduling best practices with the use of a software tool instead of an integrated master schedule for NBIS. DCSA has also taken some action consistent with GAO’s best practices for cost estimating, including completing an independent cost estimate. DCSA now projects spending an additional $2.2 billion on NBIS development, in addition to costs of $2.4 billion it spent on NBIS and legacy systems since fiscal year 2017. Leadership is critical to the development of the NBIS system and the successful implementation of Trusted Workforce 2.0. Setbacks in NBIS development have led to delays in achieving Trusted Workforce 2.0 milestones. New DCSA leadership in 2024 set the program on a path that is intended to show marked improvements. However, sustained leadership by DOD will be critical to achieving personnel vetting reform. Why GAO Did This Study U.S. government personnel vetting processes, such as background investigations, rely on IT systems to process data on millions of federal employees and contractor personnel. Since 2018, the government has undertaken a major reform of personnel vetting called Trusted Workforce 2.0. DOD has been developing NBIS as the new IT system for personnel vetting. This statement summarizes information on (1) DOD efforts to revise its approach to NBIS development, (2) GAO’s ongoing work on the most recent NBIS schedule and cost estimate, and (3) the importance of sustained leadership for NBIS to achieve personnel vetting reforms under Trusted Workforce 2.0. This statement is based on GAO’s prior reports on NBIS from December 2021 through June 2024 as well as ongoing work. To perform prior and ongoing work, GAO analyzed information on NBIS from DCSA and the Office of Personnel Management, and interviewed knowledgeable officials.

By helping the agency improve its efficiency and protect its integrity, the OIG enhances GAO's ability to provide Congress and the public with timely, fact-based, non-partisan information that can be used to improve government and save taxpayer dollars. The Strategic Plan for Fiscal Years 2026–2030 illustrates the OIG's unwavering commitment to being a leading force in government oversight. Guided by this plan, the OIG will continue to promote accountability, integrity, and efficiency within GAO through meaningful, timely, and impactful oversight. This updated plan supersedes OIG-21-2SP, OIG Strategic Plan: 2021–2025, December 21, 2020. For more information, contact the OIG at (202) 512-5748 or oig@gao.gov.

What GAO Found The Social Security Administration (SSA) relies on IT hardware and software to deliver services that touch the lives of virtually every American. From fiscal years 2020 through 2024, SSA obligated $1.4 billion or more annually on IT acquisitions. Social Security Administration Contract Obligations, Fiscal Years 2020-2024 SSA’s IT acquisition staff include contracting officers, who award and manage contracts, and contracting officer’s representatives, who assist contracting officers with contract administration functions. These staff reside in the Office of Acquisition and Grants and the Office of the Chief Information Officer, respectively, which face staffing and training challenges. Staffing. The Office of Acquisition and Grants has limited data on contracting officer workloads to inform staffing assessments. Similarly, the Office of the Chief Information Officer completed workload assessments for contracting officer’s representatives who support software contracts, but it has conducted limited assessments for those supporting hardware and service contracts. Executive orders and related guidance from early 2025 direct executive agencies, including SSA, to reduce their workforces and consolidate certain procurements at the General Services Administration. SSA is in the process of identifying changes to its IT acquisition workforce as of May 2025. To operate effectively in this changing environment, SSA needs quality workload information that accounts for complexity to ensure it can accurately assess and document its IT acquisition staffing needs to accomplish its future goals. Training. An SSA assessment found that senior-level contracting officers had deficiencies in acquisitions-related competencies. SSA officials said they are seeking trainings to address these deficiencies; however, SSA’s existing training plan has not been updated since 2019. Given the time since the last training plan update and ongoing organizational changes, it is not clear if SSA will prioritize implementing training to address these gaps. A training plan that addresses the acquisitions-related competency gaps identified for contracting officers, including those who support IT contracts, remains vital as it would help ensure that contracting officers have the skills to support SSA’s current and future IT contracting needs. Why GAO Did This Study SSA’s IT acquisition staff oversee how the agency buys and maintains technology resources. SSA, however, has experienced long-standing human capital and IT modernization planning challenges. These challenges preceded SSA’s efforts to reduce the size of its workforce and contractor and IT spending. GAO was asked to review SSA’s workforce planning practices for staff who support IT contracts. This report examines SSA’s obligations for IT products and services from fiscal years 2020 to 2024; and the extent to which the Office of Acquisition and Grants and the Office of the Chief Information Officer assessed and addressed their IT acquisition workforce needs. To conduct this work, GAO analyzed SSA’s contract obligation data for fiscal years 2020 to 2024 (the latest available information for a full fiscal year) and determined that the data were reliable. GAO also reviewed SSA guidance, data on contracting officer and contracting officer representative assignments, and a competency assessment report for contracting officers.

What GAO Found The U.S. African Development Foundation (USADF), as part of its overall internal controls, had some policies and procedures to mitigate fraud, waste, and abuse, but no strategic approach, from fiscal year 2020 through 2024. USADF did have conflict of interest rules, ethics training, and some financial controls; however, many of the related policies were outdated, not centrally located, and did not reflect actual practices. The President has indicated his intention to close USADF in his fiscal year 2026 budget request, and Congress has approved a partial rescission of USADF’s fiscal year 2025 funding. However, no final decisions about the future of USADF have been made as of July 2025. If USADF continues to operate, an effective agency-wide internal control environment—where management uses processes to help an entity consistently and effectively achieve its objectives—could help USADF detect and mitigate potential fraud, waste, and abuse. USADF has taken some steps but has implemented few leading practices for managing fraud risks. For example, USADF did not have a dedicated individual or entity to lead fraud risk management activities and had not followed leading practices to plan and conduct regular fraud risk assessments or to develop a strategy to mitigate them. Without strategically and systematically implementing leading practices for managing fraud risks, USADF is more vulnerable to fraud. U.S. African Development Foundation Operates Throughout Africa GAO also found that USADF had some policies and procedures to ensure award funds were used appropriately, but they were incomplete, and most were outdated. For example, many policies guiding the use of grants were outdated or undocumented, which opens the door for the misuse of funds. Further, GAO found that there were instances when USADF may have used an award type that did not align with legal requirements. Without adequate award policies and procedures and trained procurement staff, USADF could not ensure that it appropriately used funds to achieve its mission. Why GAO Did This Study Established in 1980 as a nonprofit government corporation, USADF has aimed to support African-led enterprises, while addressing challenges around food insecurity, insufficient energy access, and unemployment, particularly among women and youth. In fiscal year 2024, Congress appropriated $45 million to USADF, which also received funds from other sources. USADF has faced allegations of fraud, waste, and abuse, and the Office of Inspector General has an ongoing investigation into USADF. GAO was asked to review fraud risk management at USADF. This report examines the extent that USADF (1) had policies to systematically prevent, detect, and respond to the risk of fraud, waste and abuse, (2) followed leading practices for managing fraud risk, and (3) had policies to ensure funding for program and operational awards were used to achieve its mission. GAO reviewed relevant laws and agency documents; interviewed USADF officials in Washington, DC, Zambia, and Nigeria; and conducted a site visit to USADF grantees in Zambia.

What GAO Found U.S. Customs and Border Protection (CBP) uses non-intrusive inspection (NII) systems, such as X-ray machines, to inspect vehicles and travelers at land ports of entry (POE). As part of this process, CBP officers use large-scale NII systems to scan entire vehicles and their contents. These scans produce images that CBP officers review to help detect illegal drugs or other contraband. In 2020, to increase vehicle scans, CBP began deploying these systems to preprimary inspection areas—before a traveler is interviewed by a CBP officer. Previously, NII systems were generally used only when an officer determined that further inspection was required after the interview. Non-Intrusive Inspection Systems Deployed in the Preprimary Inspection Area at the Bridge of the Americas, El Paso, Texas CBP uses performance data to help ensure large-scale NII systems are operational, but it has not defined all key performance parameters for NII systems. For one key parameter, CBP reports and uses data on the percent of time that large-scale NII systems are available for operational use. However, CBP has not clearly defined or reported results for its other two key parameters related to inspection rate and examination of containers and cargo. For example, CBP’s inspection rate parameter requires 100 percent inspection of high-risk commercial vehicles and container cargo, but CBP has not clearly defined the term high risk. Clearly defining and reporting results for all of its key performance parameters would help CBP manage the NII program and inform future procurement decisions. CBP has made progress deploying large-scale NII systems. As of February 2025, 52 of 153 planned systems are fully operational, nearly all at preprimary inspection areas. Deployments have cost more than CBP estimated due to, for example, unexpected construction challenges. Congress directed CBP to develop a plan to achieve 100 percent scanning of commercial and passenger vehicles and rail containers at land POEs using large-scale NII by 2027. However, some POEs lack installation space and CBP’s plans for the southwest border omit nine passenger vehicle crossings that together account for nearly 40 percent of passenger vehicle traffic at that border. Without these crossings in its plan, CBP risks entry of many unscanned passenger vehicles, hampering its ability to prevent illegal drugs and other contraband from entering the U.S. Why GAO Did This Study Since 2019, CBP has received over $2 billion that they have used to deploy additional NII systems to land POEs, which are a key drug smuggling route. GAO was asked to review the implementation and effectiveness of CBP’s NII program. This report examines (1) how CBP uses NII systems during inspections at land POEs, (2) CBP’s assessment of large-scale NII performance, and (3) the status of large-scale NII system deployments. GAO analyzed NII program documentation, including inspection procedures, performance data, and deployment plans, and interviewed program officials. GAO also interviewed and observed CBP officers conducting inspections at land POEs within all four field offices where large-scale NII systems had been deployed in preprimary inspection areas. These POEs included a variety of large-scale NII systems and types of crossings (passenger and commercial vehicles, and rail) along the southwest border. GAO also interviewed officials at a northern border field office that was in the process of deploying new large-scale NII systems.