What GAO Found
Congress enacted the Defense Production Act (DPA) in 1950 to grant the President expanded authority over critical production and economic policy to ensure the availability of industrial resources for national defense, paricularly during times of emergency. Three DPA title authorities are currently in effect:
Title I Priorities and Allocations. Allows delegated agencies and others to require companies in the U.S. to prioritize certain contracts or orders and allocate materials, services, and facilities to promote national defense.
Title III Expansion of Productive Capacity and Supply. Allows delegated agencies to provide investments such as purchases and purchase committments, as well as loans to suppliers, to sustain or expand production for national defense.
Title VII General Provisions. Allows delegated agencies to assess the industrial base, establish voluntary agreements with industry to foster collaboration, and create an executive reserve to aid federal agencies in times of national emergency, among other things.
Selected Agencies’ Use of DPA Authorities, Fiscal Years 2018 to 2024
GAO’s prior work found that agencies experienced a number of challenges when using the DPA authorities, such as difficulties tracking Title I priority rated contracts during the COVID-19 response. GAO made four recommendations in 2020 and 2021. The agencies have taken action to address all but one of the recommendations, which was for the U.S. International Development Finance Corporation to evaluate the effectiveness of its Title III loan program.
GAO’s report that publicly released today found additional challenges. For example, the Department of Defense (DOD) found that industry partners did not always understand how to apply priority ratings throughout the supply chain. DOD is conducting outreach to ensure an understanding of these Title I responsibilities. Additionally, the DPA government-wide coordinator, currently the Federal Emergency Management Agency, has not collected and shared lessons learned from DOD’s extensive use of Title III over multiple decades, but doing so could benefit other agencies.
Why GAO Did This Study
The DPA is a key tool to enable the domestic industrial base—including companies in the U.S. and certain allied nations—to maintain or increase production of defense resources.
Since the DPA was last authorized in 2018, Congress has appropriated at least $3.8 billion for DPA-related activities. Federal agencies have used DPA authorities for a variety of reasons, including to secure access to personal protective equipment like gloves and masks during the COVID-19 response.
This testimony is based on GAO’s DPA-related reports issued in November 2020 (GAO-21-108) and November 2021 (GAO-22-104511), and a report being issued today (GAO-25-107688). This testimony focuses on federal agencies’ use of the DPA authorities and the challenges these agencies faced.
GAO collected data from fiscal years 2018 through 2024 from the seven federal agencies that are delegated responsibility for implementing the DPA authorities, as identified in Executive Order 13603 issued in March 2012. These agencies are the Departments of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, and Transportation.
Additional details about the scope and methodology for GAO’s reports are included in those products.
What GAO Found
The Defense Production Act (DPA) is a key tool that delegated federal agencies can use to ensure the supply and timely delivery of products, materials, and services in times of peace as well as during national emergencies. Since the DPA was enacted in 1950, Congress amended it to broaden its applicability beyond military use and include crises resulting from natural disasters or human-caused events. Currently, there are three parts of the DPA, known as Titles, in effect:
Title I allows agencies delegated authority by the President to place priority ratings on contracts or orders that support national defense. These priority ratings require U.S. companies to meet the government’s delivery needs over unrated orders. Title I also authorizes agencies delegated by the President to allocate materials, services, and facilities as necessary or appropriate to promote the national defense.
Title III allows agencies delegated authority by the President to provide financial incentives to suppliers to meet national defense goals. These incentives include investments and loans, which can help reduce the risks for suppliers to secure resources required to establish, expand, or preserve production capabilities.
Title VII provides the President a range of authorities, some of which may be further delegated, including the ability to conduct industrial base assessments, establish voluntary agreements, and create executive reserves to include private sector personnel to assist agencies in times of national emergency.
For this review, GAO selected the seven federal agencies delegated responsibility for implementing DPA authorities: the Departments of Agriculture (USDA), Commerce, Defense (DOD), Energy (DOE), Homeland Security (DHS), Health and Human Services (HHS), and Transportation.
GAO found that the most used DPA authority in fiscal years 2018 to 2024 was the Title I authority for priority ratings. Selected agencies used Title I authorities to ensure timely delivery of goods or services needed to respond to a variety of national security threats including natural disasters and the COVID-19 pandemic.
Selected Agencies’ Estimated Total Number of Priority Ratings Placed, Fiscal Years 2018 to 2024
Agencies used Title III authorities to sustain production capacity during COVID-19, increase domestic manufacturing capacity, and bring new suppliers into the market. DOD, HHS, and DOE provided 222 investments valued at about $3.2 billion to at least 182 U.S. industrial base companies.
Selected Agencies’ Defense Production Act Title III Investments by Area, Fiscal Years 2018 to 2024
Agencies used Title VII authorities to assess the industrial base and to establish or maintain voluntary agreements that allow for the sharing of information to provide needed resources with protection from aspects of antitrust laws.
Selected Agencies’ Use of Defense Production Act Title VII Authorities, Fiscal Years 2018-2024
Agencies experienced various challenges when using DPA authorities. For example, DOD and HHS found that companies receiving rated orders did not always understand their responsibilities for passing the rating along to their suppliers. To address this challenge, both agencies are engaged in educational outreach efforts to their contracting officers and companies receiving rated orders. Additionally, for Title III HHS officials said that, as the first civilian agency to request a presidential determination, the process was time consuming and difficult to navigate. DOD has the most experience using Title III authorities and has developed helpful practices, such as continuing to monitor some investments beyond the contract’s period of performance to maintain visibility into production capacity. However, FEMA—the current government-wide DPA coordinator—has not collected and shared these lessons learned. Doing so would better position agencies to award and monitor the outcomes of future Title III investments.
Why GAO Did This Study
The various DPA authorities enable the domestic industrial base—which are companies within the U.S. and certain allied nations—to maintain or increase production of key defense resources. In 2018, Congress reauthorized the DPA through September 30, 2025, at which point most of the DPA’s provisions will expire.
GAO was asked to review agencies’ use of the DPA authorities since the last reauthorization, including challenges and areas for improvement. This report describes how agencies have used each of the DPA authorities from fiscal years 2018 to 2024 as well as examples of outcomes of its use. It also examines challenges experienced and the extent to which agencies can take actions to more effectively use the DPA authorities.
GAO analyzed information from the seven selected federal agencies on their use of DPA authorities from fiscal years 2018 to 2024; assessed DOD data on outcomes for completed Title III investments; and discussed the effects and challenges of DPA use on the industrial base with relevant agency officials, industry representatives, and one company that received Title III funding.
The U.S. Government Accountability Office (GAO) and the Council of the Inspectors General on Integrity and Efficiency (CIGIE) maintain the Financial Audit Manual (FAM).
For more information, please visit the main FAM page, or contact Dawn B. Simpson at SimpsonDB@gao.gov.
What GAO Found
The Joint Pipeline Office (JPO) coordinates oversight of the Trans-Alaska Pipeline System (TAPS) among six federal agencies—including the Department of the Interior's Bureau of Land Management (BLM), which is the lead federal agency and the Pipeline and Hazardous Materials Safety Administration (PHMSA)—as well as six Alaska state agencies. TAPS includes an 800-mile pipeline and the Valdez Marine Terminal, where the oil is loaded onto tankers. Since JPO's formation in 1990, member agencies have scaled back their approach to joint oversight and reporting. JPO agencies initially shared a physical office and published public reports on their joint monitoring activities. Starting in 2005, JPO reduced its joint activities and public reporting due to fewer projects along the pipeline and shifts in federal roles. In recent years, individual JPO agencies have continued to provide oversight and JPO has served as a forum for participating agencies to share information and coordinate oversight.
Aboveground Portion of the Trans-Alaska Pipeline near Fairbanks, Alaska
GAO found that JPO's activities generally align with five of eight leading practices that are critical for effective interagency collaboration, such as identifying and sustaining leadership and including relevant participants. However, JPO's activities do not align with three leading collaboration practices: defining common outcomes, clarifying roles and responsibilities, and updating written agreements. Specifically, JPO no longer works toward several intended outcomes that it documented in 2008, including producing public reports. In addition, some JPO agencies and stakeholders said JPO members' roles and responsibilities were unclear and raised concerns about possible gaps in oversight, especially at the Valdez Marine Terminal. Redefining and documenting the intended outcomes of JPO's oversight activities, such as those aiming to inform the public of its oversight efforts, would help JPO agencies work toward shared goals. In addition, clarifying and documenting participating agencies' roles and responsibilities would help it identify any potential gaps in oversight that could affect safety.
Why GAO Did This Study
In 1989, the supertanker Exxon Valdez spilled over 11 million gallons of oil into Prince William Sound. Since its formation in response to this incident, JPO has played a critical role in coordinating TAPS oversight among federal and state agencies. Almost 35 years after the spill, some stakeholders have expressed concern that JPO no longer effectively coordinates safety oversight.
GAO was asked to review changes in JPO's activities, as well as JPO's collaborative efforts. This report (1) describes how JPO's safety oversight activities have changed since 1990, and (2) evaluates the extent to which JPO's safety oversight activities align with leading collaboration practices.
GAO reviewed documents and interviewed officials from four federal and four Alaska state JPO agencies. GAO conducted site visits in Valdez and Anchorage, Alaska. GAO also analyzed PHMSA data on pipeline accidents; reviewed relevant statutes and regulations; and interviewed 13 stakeholders from industry, safety, environmental, and other groups. In addition, GAO compared JPO's safety oversight activities with leading collaboration practices.
What GAO Found
The Department of Energy's (DOE) National Nuclear Security Administration (NNSA) leads U.S. efforts to support nuclear and radiological security and safety in Ukraine. NNSA has used its supplemental funding for efforts such as providing security upgrades at nuclear facilities, training for nuclear incident response, and countering nuclear smuggling. The Departments of Defense and State and the Nuclear Regulatory Commission used supplemental or regular appropriations, or a combination, to conduct a smaller range of related activities. These included providing radiation detection equipment and helping reduce Ukrainian nuclear reactors' dependency on Russian nuclear fuels.
Truck Moving Nuclear Safety Equipment in Ukraine
While NNSA took steps to manage fraud risk at the individual contract level, it did not conduct a program-level fraud risk assessment tailored to its nuclear and radiological security and safety efforts in Ukraine. A tailored fraud risk assessment is a leading practice for effective antifraud strategy, according to GAO's Fraud Risk Framework. DOE guidance generally directs offices to follow the framework's leading practices. However, it does not include specific guidance directing offices to conduct assessments outside of DOE's annual agency-wide fraud risk assessment cycle when there are structural changes to the program, changes to the operating environment, or new services added—as happened for programs responding to the invasion of Ukraine. By updating its guidance with such direction, DOE will better ensure its offices consistently assess emerging fraud risks and design appropriate mitigation measures before obligating taxpayer funds.
NNSA intends to transition responsibility for certain nuclear security efforts to Ukrainian partners but has not documented transition plans for these efforts. Doing so is a program management leading practice. NNSA officials said uncertainties in operating conditions as a result of the ongoing conflict complicate transition planning. However, formalizing transition plans, which NNSA can adapt as operating conditions change, would provide NNSA, Congress, and taxpayers stronger assurance that Ukrainian partners can sustain the efforts that the U.S. invested in after U.S. support ends.
Why GAO Did This Study
Russia's 2022 invasion of Ukraine has jeopardized nuclear security and safety there. Congress appropriated more than $113 billion in supplemental funding, including $161.3 million for NNSA to respond to the situation. The conditions on the ground in Ukraine have increased fraud risk, and the history of U.S. nuclear security assistance to Ukraine has raised questions about NNSA's plans to transition responsibility to Ukrainian organizations to sustain these efforts.
The Consolidated Appropriations Act, 2023, includes a provision for GAO to conduct oversight of the supplemental funding. This report addresses (1) agency efforts to support nuclear and radiological security and safety in Ukraine, (2) NNSA's steps to mitigate fraud risks, and (3) NNSA's planning to transition responsibility for relevant efforts to Ukrainian partners.
GAO reviewed agency documents, including procedures for mitigating fraud risk, and a sample of its contracts for Ukraine-related efforts. GAO also interviewed U.S. agency officials and received written responses from Ukrainian agencies. This is a public version of a Controlled Unclassified Information (CUI) report issued in April 2025. Information that NNSA deemed CUI has been omitted.
What GAO Found
According to the Department of Defense's (DOD) fiscal year (FY) 2025 Federal IT Dashboard (Dashboard) data, the department planned to spend $10.9 billion on its portfolio of 24 major IT business programs from FY 2023 through FY 2025. The four largest programs account for 43 percent of the planned spending (see figure).
The Department of Defense's (DOD) Planned Costs for the Four Largest IT Business Programs Compared to the Remaining 20 Selected Programs from Fiscal Year (FY) 2023 through FY 2025
Officials from 14 of the 24 IT business programs reported cost and/or schedule changes since January 2023. This included 12 programs that reported cost increases of $6.1 million to $815.5 million (a median of $173.5 million) and seven programs that reported a schedule delay ranging from 3 months to 48 months (a median of 15 months).
While DOD improved its performance reporting, not all programs reported required categories of performance and most programs reported mixed progress in achieving performance goals. If they have operational investments, programs are required to identify and track a minimum of five performance metrics in the
categories of customer satisfaction, strategic and business results, financial performance, and innovation. Of the 19 IT business programs that had operational investments, 14 identified the minimum required number of performance metrics in each category. However, the remaining five did not do so. Accordingly, the extent to which these five programs were improving customer satisfaction, increasing financial performance, and delivering innovative approaches is unknown.
Regarding achieving performance goals, of the 19 programs that identified metrics, one program met all performance targets, 17 programs met at least one target, and one program met no targets.
Of the 24 programs, 11 DOD IT business programs reported actively developing software using recommended Agile and iterative software development approaches and practices. However, in areas related to tracking customer satisfaction and progress of software development, three of the 11 programs did not use metrics and management tools required by DOD and consistent with GAO's Agile Assessment Guide (see table). GAO previously recommended that DOD address this issue.
Department of Defense (DOD) Major IT Business Programs Actively Developing Software Reported Using Iterative Development Approaches and Practices
Development approach or practice
Number of programs that reported using each approach or practice
Using recommended Agile and iterative approaches
11 of 11
Using required metrics and management tools to track customer satisfaction and progress of software development
8 of 11
Source: GAO analysis of DOD program questionnaire responses as of March 2025. | GAO‑25‑107649
Further, two programs did not have an approved cybersecurity strategy. GAO has previously recommended that all programs develop such a strategy. In addition, four programs had not developed plans to implement zero trust architecture in their cybersecurity frameworks by DOD's 2027 deadline. GAO will continue to monitor the department's progress in developing plans to address zero trust.
Department of Defense (DOD) Major IT Business Programs That Reported Having an Approved Cybersecurity Strategy or Implementing Zero Trust Architecture
Development approach or practice
Number of programs that reported using each approach or practice
Having a DOD approved cybersecurity strategy
22 of 24
Implementing zero trust architecture as part of the security framework
20 of 24
Source: GAO analysis of DOD program questionnaire responses as of March 2025. | GAO‑25‑107649
DOD continues to make efforts to improve its management of IT investments as a result of legislative and policy changes. These efforts include revising its business systems investment management guidance, modernizing its business enterprise architecture, adopting a zero trust cybersecurity strategy, and developing AI acquisition guidance. GAO will continue to monitor DOD's efforts to improve how the department manages its IT investments.
Why GAO Did This Study
Information technology is critical to the success of DOD's major business functions. These functions include health care, human capital, financial management, logistics, and contracting.
The National Defense Authorization Act for FY 2019, as amended, includes a provision for GAO to conduct assessments of selected DOD IT programs annually through March 2029. GAO's objectives for this sixth such review were to (1) examine the current status of cost, schedule, and performance of selected DOD IT business programs; (2) determine the extent to which DOD has implemented key software development and cybersecurity practices for selected programs; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.
To address the first objective, GAO selected 24 DOD IT business programs that DOD listed as major IT investments in its FY 2025 submission to the Federal IT Dashboard. In analyzing the FY 2025 Dashboard data, GAO examined DOD's planned expenditures for these programs from FY 2023 through FY 2025.
GAO also administered a questionnaire to the 24 program offices to obtain and analyze information about cost and schedule changes that the programs reported experiencing since January 2023.
Further, GAO compared programs' performance metrics data reported on the Dashboard to OMB guidance and met with DOD Office of the Chief Information Officer officials to determine reasons for differences between how metrics data were reported and reporting guidance.
To address the second objective, the questionnaire also sought information about software development and cybersecurity practices. This included programs' use and documentation of Agile tools and metrics and development of cybersecurity strategies, including zero trust cybersecurity. GAO compared the responses and documentation against relevant guidance and leading practices to identify gaps and risks. For programs that did not demonstrate having documentation or strategies, GAO followed up with DOD officials for clarification.
For the third objective, GAO reviewed (1) policy, plans, and guidance associated with the department's efforts to implement changes to its defense business systems investment management guidance and business enterprise architecture and (2) efforts to adopt zero trust cybersecurity principles and develop AI acquisition guidance. GAO also met with DOD Office of the Chief Information Officer officials to discuss their efforts in these areas.
What GAO Found
The Department of Defense (DOD) continues to struggle with delivering innovative technologies quickly and within budget. Since its last annual assessment, GAO found:
Program development delays and inflation, among other things, contributed to cost growth in the major defense acquisition program (MDAP) portfolio.
Programs spent development time on efforts with low levels of maturity while using the middle tier of acquisition (MTA) pathway intended for speed.
Future major weapon acquisitions (newer efforts that have yet to begin on a pathway) did not take full advantage of product development practices that lead to efficiencies.
Program challenges and inflation drove major defense acquisition program portfolio costs. Combined total estimates increased by $49.3 billion for 30 MDAPs also included in last year's report. The Air Force's Sentinel missile program accounted for over $36 billion (73 percent) of this increase.
Major Defense Acquisition Programs Continue to Delay Capability Deliveries
DOD plans to invest $44.5 billion across 20 of its most expensive MTA programs—intended to be completed in 2 to 5 years. Combined costs increased by about 3 percent for 14 programs we also assessed last year—despite one program reducing the number of units it intended to buy and another program ending earlier than planned.
Further, schedule delays persisted. The expected time for MDAPs to provide even an initial capability increased this year by 18 months, up to almost 12 years from the program's start—an average that includes MDAPs that began as MTAs. Several MDAPs reported delays to expected initial operational capability by more than a year, while some MTA programs plan to deliver initial capability to the warfighter multiple years after the current MTA programs end.
Some programs used the MTA pathway to develop critical technologies . Some programs entered the MTA pathway—used for rapid prototyping and rapid fielding efforts—with low levels of technology maturity, resulting in lengthy development instead of the speed for which that pathway was designed. GAO also reviewed seven former MTA programs with low levels of technology maturity at MTA initiation. GAO found that none were ready for production or fielding when the effort ended and will continue to monitor this issue.
Future programs do not plan to fully use leading practices before initiation. Opportunities exist for future major weapon acquisitions that have yet to start on an adaptive acquisition pathway to leverage leading practices during the earliest stages of the program—before they become locked into rigid requirements, budgets, and development approaches. These future programs reported that they intended to incorporate leading practices generally at levels at or below the levels reported by current MDAPs or MTAs. This is because decision-makers in DOD and across the military services do not take steps to ensure that future programs include leading practices (discussed below). Incorporating leading practices prior to formally starting a new program can help programs take full advantage of the efficiencies they provide.
Most programs GAO reviewed do not fully implement leading practices in concert to achieve efficiencies. For example, most programs reported using a modular open systems approach—generally required by statute—which allows them to easily add or replace weapon parts over time. Few, however, reported plans to establish a minimum viable product (an initial set of capabilities that can be iterated upon), use digital twinning (a virtual representation of a physical product), or use digital threads (real-time data to inform decision-making). These practices are most effective when they are used together as part of an iterative approach to product development.
Most Programs GAO Reviewed Do Not Fully Implement Leading Practices, Including Future Efforts That Are Newer and Have Opportunities to Do So
GAO made seven recommendations in March 2022 and December 2024 for DOD and military services to update acquisition policies and guidance to reflect leading practices that facilitate speed and innovation. DOD concurred with six recommendations and partially concurred with one to the Army, stating that the Army did not consider it fully applicable to a specific pathway. GAO maintains its applicability.
Why GAO Did This Study
DOD plans to invest nearly $2.4 trillion to develop and acquire its costliest weapon programs. But it continues to struggle with delivering timely and effective solutions to the warfighter. Weapon systems are more complex and software-driven than ever before. DOD implemented recent reforms intended to lead to faster results, but slow, linear development approaches persist.
This report, GAO's 23rd annual assessment, responds to a provision Congress included in statute for GAO to annually review selected DOD acquisition programs and efforts. It assesses the characteristics and performance of 106 of DOD's costliest weapon programs.
It further analyzes selected programs' implementation of leading practices for product development, as described in GAO-23-106222 , among other objectives.
GAO identified programs for review based on cost and acquisition status; collected program documents; used a questionnaire to obtain data from program offices; and interviewed DOD officials.
What GAO Found
In June 2025, GAO reported that the Department of Defense (DOD) plans to invest nearly $2.4 trillion to develop and acquire 106 of its costliest weapon programs. Yet the expected time frame for major defense acquisition programs to provide warfighters with even an initial capability is now almost 12 years from program start. These time frames are incompatible with meeting emerging threats. While DOD and Congress have made efforts to identify efficiencies, more radical change is needed.
Major Defense Acquisition Programs Continue to Delay Capability Deliveries
DOD remains deeply entrenched in a traditional linear acquisition structure—characterized by rigid, sequential processes—that has proven inadequate in adapting to evolving threats and integrating emerging innovation. In a linear acquisition, the cost, schedule, and performance baselines are fixed early. Thus, programs develop weapon systems to meet fixed requirements that were set years in advance. This risks delivering a system—sometimes decades later—that is already obsolete. In contrast, leading companies use iterative cycles to design, validate, and deliver complex products with speed. Activities in these iterative cycles often overlap as the design undergoes continuous user engagement and testing, which allows the product to get to market quickly.
DOD has made efforts to address problematic aspects of the defense acquisition system, particularly for furthering innovation. For example, it established the Defense Innovation Unit to further commercial technology adoption and provides various financial flexibilities. However, these remain largely workarounds to address problems that result from the current acquisition system, rather than enduring solutions that fix the underlying system itself.
GAO’s recent and ongoing body of work on practices used by leading companies could provide a blueprint for reform.
Why GAO Did This Study
Despite recent reforms, DOD remains plagued by escalating costs, prolonged development cycles, and structural inefficiencies that impede its ability to acquire and deploy innovative technologies with speed. The 2022 National Security Strategy and the 2022 National Defense Strategy make clear that the acquisition processes that DOD has used in the past are too slow to address emerging threats of the future. An April 2025 executive order states that a comprehensive overhaul of DOD’s acquisition system is needed to deliver state-of-the-art capabilities at speed and scale.
This testimony addresses (1) DOD’s ongoing challenges to delivering weapon systems within cost, schedule, and performance parameters, and (2) how leading practices for product development can inform changes to the defense acquisition system. This statement draws largely from GAO’s 2025 annual assessment of DOD’s major weapon systems (GAO-25-107569) and GAO’s leading practices for product development (GAO-23-106222). It also leverages GAO’s extensive body of work on DOD weapon systems acquisitions and recent reports on individual weapon systems and innovation and flexibilities in DOD procurement efforts.
What GAO Found
Federal agencies identify and verify that users attempting to access government services, benefits, and other resources are who they claim to be. This identity-proofing process may occur in person, by telephone, or online. The National Institute of Standards and Technology has issued guidance defining three risk-based identity-assurance levels for online interactions: (1) some confidence of claimed identity, (2) high confidence, and (3) very high confidence.
In implementing its identity-proofing program, the Internal Revenue Service (IRS) determined that it needed identity assurance level (IAL) 2 in providing users access to certain online IRS applications. A private credential service provider, ID.me, is IRS's sole provider of level 2 identity-proofing products and supporting activities. These activities include having individuals provide evidence, such as a driver's license, and biometric evidence, such as a selfie (see figure).
High-Level Identity Assurance Level 2 Digital Identity-Proofing Process
The reach of IRS's digital identity-proofing program is considerable—users accessed IAL 2 applications more than 150 million times between 2021 and 2024, according to IRS data.
IRS is conducting several oversight activities to monitor ID.me and overall program performance. These include (1) issuing 12 directives to ID.me on ensuring its solutions protect users' privacy; (2) documenting data validation checks to determine if ID.me is adhering to contract terms and conditions; and (3) holding biweekly meetings with vendor representatives to discuss challenges, performance, and associated issues.
However, gaps remain in IRS's oversight of its identity-proofing program:
IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers' performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.
ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers' rights are protected and that the technologies are accurate, reliable, effective, and transparent.
Why GAO Did This Study
IRS offers more than 30 online applications to help taxpayers meet their tax obligations. To guard against fraud and abuse, IRS requires users to prove their identities when accessing these applications. This process can require users to divulge sensitive personal information about themselves.
GAO was asked to review IRS's identity-proofing program. This report assesses how IRS monitors and oversees the performance of its identity-proofing program.
GAO reviewed IRS policies and procedures associated with IAL2 identity proofing; interviewed relevant IRS officials and ID.me staff; and reviewed ID.me-related performance data and contract information.
What GAO Found
The Department of Homeland Security (DHS) established the Continuous Diagnostics and Mitigation (CDM) program in 2012 to strengthen the cybersecurity of government networks and systems. Its goals are to: (1) reduce exposure to insecure configurations or known vulnerabilities; (2) improve federal cybersecurity response capabilities; (3) increase visibility into the federal cybersecurity posture; and (4) streamline Federal Information Security Modernization Act of 2014 (FISMA) reporting. The Cybersecurity and Infrastructure Security Agency (CISA) manages these goals across four capability areas (see figure). The program is meeting two of its four goals and partially meeting the other two, as discussed below.
Figure: Continuous Diagnostics and Mitigation Capability Areas
CDM has met two goals. First, it is reducing exposure to insecure configurations and known vulnerabilities—22 of 23 agencies reported that the program was helpful in accomplishing this. CDM is also meeting its incident response capability goal.
The program, however, has been less successful in meeting the other two goals.
Although CISA developed dashboards to visualize and provide insight to the federal cybersecurity posture and the associated capability areas noted above, officials from 21 of 23 agencies stated that they had not yet fully implemented network security and data protection capabilities. Several agencies cited a lack of guidance as contributing to the slow implementation.
While officials from four agencies stated that CDM helped to automate FISMA reporting, officials from seven other agencies said that data quality issues were adversely affecting efforts to streamline reporting leading to manual updates to correct data errors.
Regarding supporting other initiatives, the Office of Management and Budget (OMB) established expectations that CDM would support federal cybersecurity efforts on zero trust architecture, endpoint detection and response, and cloud asset management. CDM has generally met expectations for the zero trust architecture program. However, CISA had not finalized key activities to support endpoint detection and cloud asset management. CISA's actions to implement an endpoint solution for all agencies and issue updated guidance on cloud asset management would improve the cybersecurity posture of federal agencies.
Why GAO Did This Study
A key aspect of a rigorous cybersecurity program is continuously monitoring networks and systems to identify and manage risks. Consistent with the FISMA requirement for agency network monitoring, the CISA-led CDM program provides tools to agencies to assist in this effort.
FISMA includes a provision for GAO to periodically report on agencies' implementation of the act. Among its objectives, this report examines the extent to which the CDM program is (1) meeting its goals, and (2) supporting other federal cybersecurity initiatives.
GAO selected for review the 23 civilian agencies covered in the Chief Financial Officers Act of 1990 (CFO Act). GAO compared CDM program documentation against relevant guidance, and summarized survey results from the 23 civilian CFO Act agencies. GAO also interviewed CISA and OMB officials.
What GAO Found
In June 2024, GAO identified 90 priority open recommendations for the Department of Defense (DOD). Since then, DOD has implemented 15 of those recommendations, leading to improvements in preventing helicopter training accidents, clarifying barracks health and safety standards, and improving the quality of financial reporting, among other areas. Further, GAO removed the priority status from two other recommendations.
In May 2025, GAO identified 6 new priority recommendations for DOD, bringing the total number to 79. These recommendations involve the following areas:
Sustaining U.S. readiness and competitive advantage over adversaries;
Improving financial management;
Ensuring the health and safety of service members and their families;
Strengthening infrastructure management; and
Executing business reform.
DOD's continued attention to these issues could lead to further improvements in the department's operations.
Why GAO Did This Study
Priority open recommendations are the GAO recommendations that warrant priority attention from heads of key departments or agencies because their implementation could save large amounts of money; improve congressional and/or executive branch decision-making on major issues; eliminate mismanagement, fraud, and abuse; or ensure that programs comply with laws and funds are legally spent, among other benefits. Since 2015, GAO has sent letters to selected agencies to highlight the importance of implementing such recommendations.
For more information, contact Cathy A. Berrick at berrickc@gao.gov.
What GAO Found
The Department of Homeland Security (DHS) employs assets—including aircraft and vessels—and personnel across the U.S. and abroad to secure U.S. borders, support criminal investigations, and ensure maritime security and safety. Relevant DHS components include the Coast Guard, U.S. Customs and Border Protection (CBP), and U.S. Immigration and Customs Enforcement's Homeland Security Investigations.
In prior work, GAO identified coordination challenges that hinder U.S. efforts to confront illicit maritime activities and recommended actions to improve oversight, measure effectiveness, and build organizational capacity. For example:
In March 2025, GAO found that Homeland Security Investigations had not fully implemented certain training requirements due to disagreements over training content with the Drug Enforcement Administration, with whom they coordinate. Without doing so, the agencies cannot ensure that their agents are properly trained to collaborate effectively on counternarcotics investigations.
In February 2024, GAO found that DHS had not developed targets for its coordinated efforts to combat complex threats like drug smuggling and terrorism—limiting its ability to assess the effectiveness of its efforts.
In April 2024, GAO found that the Coast Guard had not assessed the type and number of helicopters it requires to meet its mission demands, as part of an analysis of its assets. Doing so could help ensure it has the necessary aircraft capability to execute its missions in the coming decades.
Coast Guard Cocaine Seizure in the Caribbean Sea, September 2023
DHS components and their law enforcement missions are vital to confronting and mitigating illicit maritime activities. Addressing GAO's recommendations on setting targets and managing assets and personnel will help ensure that DHS efficiently uses its available resources to carry out its law enforcement missions to protect our maritime borders.
Why GAO Did This Study
Securing the nation's borders against unlawful movement of people, illegal drugs and other contraband, and terrorist activities is a key part of DHS's mission. While there is increased attention to the southwest land border, criminal organizations continue to use maritime routes to smuggle people, drugs, and weapons into the United States.
The U.S. government has identified transnational and domestic criminal organizations trafficking and smuggling illicit drugs as a significant threat to the public, law enforcement, and national security. In March 2021, GAO added national efforts to prevent, respond to, and recover from drug misuse to its High Risk List.
This statement discusses (1) key DHS resources to counter illicit maritime activities and (2) DHS operational challenges related to its efforts to counter illicit maritime activities. This statement is based primarily on 15 GAO reports published from July 2012 to April 2025.
Recent comments