To alert the audit community to changes in professional standards, we periodically issue Professional Standards Updates (PSU). These updates highlight the effective dates of recently issued standards and guidance related to engagements conducted in accordance with Government Auditing Standards. PSUs contain summary information only, and those affected by a change should refer to the respective standard or guidance for details.

What GAO Found In March 2023, the Small Business Administration (SBA) established 12 best practices to help participating agencies manage risks posed by small business applicants in their Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs. GAO found that participating agencies and selected components have incorporated some best practices in their due diligence efforts, but gaps remain. For example, as of August 2025 all agencies had incorporated three of the 12 best practices, such as leveraging standardized foreign affiliation disclosures to capture consistent information. Most agencies incorporated additional practices, such as documenting a risk-based approach to their due diligence processes, and some incorporated practices such as determining “covered individuals” required to submit disclosures (see figure). The SBIR and STTR Extension Act of 2022 (Extension Act) requires participating agencies to incorporate the applicable best practices in their due diligence programs to the extent practicable. Doing so may improve agencies’ ability to manage potential foreign risks. The Extension Act also requires participating agencies to assess SBIR and STTR applicants’ cybersecurity practices. GAO found that nine of the 11 participating agencies and selected components did so using a variety of mechanisms, including business intelligence tools and self-assessment forms. However, two of the agencies GAO reviewed—the National Science Foundation (NSF) and the U.S. Department of Agriculture (USDA)—are not assessing all applicants’ cybersecurity practices. NSF officials told GAO that its applicants are small and nascent companies with limited electronic assets or systems to protect. USDA officials stated they previously understood training applicants on cybersecurity would suffice as an assessment. Until NSF and USDA incorporate cybersecurity assessments into their due diligence programs, they are at an increased risk of making awards to applicants that are vulnerable to cyberattacks.   SBA conducts information sharing meetings for agencies to discuss due diligence efforts, but GAO found agencies have gaps in how they have incorporated SBA’s best practices to manage and reduce foreign risks. For example, GAO found some agencies are not incorporating certain best practices because, in part, they lack clarity on the intent of the practice or the best means to incorporate it. In August 2025, SBA officials acknowledged that based on the gaps and agency needs we identified in this report, additional opportunities may exist for SBA to engage with agencies on the challenges and impacts of incorporating the best practices and due diligence programs. The SBA-facilitated meetings could provide a discussion forum on agencies’ challenges in incorporating the best practices, potential for additional guidance, and possible revisions. Why GAO Did This Study The SBIR and STTR programs fund research and development (R&D) performed by U.S. small businesses. In fiscal year 2023, federal agencies issued more than 6,300 such awards in areas such as defense and environmental protection. However, Congress and U.S. intelligence agencies have expressed concerns about foreign adversaries exploiting potential vulnerabilities in these programs and in entrepreneurial small businesses. The Extension Act requires the 11 participating agencies to implement due diligence programs to assess the security risks posed by small business applicants. It includes a provision for GAO to issue a series of reports on the implementation and best practices of agencies’ due diligence. This report is the third in this series and examines (1) agencies’ incorporation of the best practices, (2) their assessments of applicants’ cybersecurity practices, and (3) interagency mechanisms for sharing information on due diligence programs. To determine the extent to which agencies have incorporated SBA’s best practices, GAO reviewed agencies’ policies and procedures for conducting due diligence and assessing applicants’ cybersecurity practices. GAO also interviewed SBA and SBIR and STTR program officials at the participating agencies and selected components on the best practices.

What GAO Found The U.S. Department of State's Office of the Coordinator of U.S. Assistance to Europe and Eurasia (EUR/ACE) is responsible for coordinating and overseeing foreign assistance to Ukraine. In June 2023, EUR/ACE entered into a 3-year contract for Monitoring, Evaluation, and Audit Services for Ukraine Reporting (MEASURE). This contract assists EUR/ACE in overseeing nonhumanitarian, nonmilitary assistance programs implemented within Ukraine and funded by supplemental appropriations, such as training and equipping Ukraine's police and border guards and ensuring the safety of nuclear power operations. Many MEASURE contract tasks have been completed, such as progress reports on programs funded by U.S. assistance. For these reports, MEASURE's contractor compiled available information on outcomes of assistance, which EUR/ACE has used for decision-making, particularly with respect to project oversight. But data availability and timeframes to realize outcomes have varied, which have limited the MEASURE contractor's ability to analyze outcome information and conduct evaluations. In response, EUR/ACE has adjusted the structure and timing of contract deliverables to enhance their ability to inform decision-making. For example, EUR/ACE revised the progress reports to be more streamlined, include more analysis, and issue semiannually rather than quarterly. As of November 2025, MEASURE tasks not yet completed included evaluations across projects and a selection of strategic outcome indicators, both of which were meant to provide a broader sense of the effectiveness of Ukraine assistance. These and other deliverables were delayed due to implementation challenges, such as needing to negotiate access to key data and working in a wartime environment, as well as the administration's decision to conduct a foreign assistance review and pending updates to the Ukraine Assistance Strategy. EUR/ACE officials expect that the planned evaluations and selection of strategic outcome indicators will provide a greater sense of the extent to which the assistance provided has been effective in meeting U.S. objectives as defined in the Ukraine Assistance Strategy.  Why GAO Did This Study Since Russia's invasion of Ukraine in February 2022, the U.S. government has appropriated tens of billions in assistance for Ukraine and countries impacted by the situation in Ukraine. As of September 30, 2025, according to State, the MEASURE contract helped EUR/ACE oversee $6.1 billion of the supplemental appropriations for Ukraine—$4.3 billion from the first four supplementals and a further $1.8 billion from a fifth supplemental that is subject to change in fiscal year 2026. GAO was asked to review the oversight mechanisms in place for U.S. assistance to Ukraine. This report is part of a series of work GAO has done evaluating U.S. oversight of Ukraine assistance. This report discusses: the design and status of the MEASURE contract, challenges faced during implementation, the outcome information the MEASURE contract provided, and State's use of this information. GAO reviewed the MEASURE contract and associated deliverables and spoke with EUR/ACE officials, contractor representatives, and five U.S. government implementing entities on the implementation of the contract and associated challenges and mitigation efforts. GAO selected these entities based on factors such as their amount of Ukraine assistance funding.

What GAO Found The Space Development Agency (SDA) is developing space- and ground-based systems to detect and track potential missile threats in low Earth orbit. SDA aims to rapidly deliver capability and frequently update technology by delivering multiple satellites in phases, which it calls tranches, planned for contract award every 2 years. Each tranche needs to be replaced roughly 5 years after launch. However, SDA is at risk of being unable to deliver capability as quickly as planned. For example, SDA is overestimating the technology readiness of some critical elements it plans to use. This includes the spacecraft, which must be modified for the mission. As a result, contractors have performed additional unplanned work, which has added to already delayed schedules. Earth Orbits with Missile Warning Satellites Additionally, SDA’s requirements process is not transparent to users. For example, SDA is not sufficiently collaborating with combatant commands, which report having insufficient insight into how SDA defines requirements and when, or whether, SDA will deliver planned capabilities. Consequently, SDA is at risk of delivering satellites that do not meet warfighter needs. SDA reports achieving early milestones, but these achievements do not reflect schedule risks. SDA has continued to award new tranche contracts every 2 years irrespective of satellite performance. SDA relies on contractor schedules for each tranche but has not developed an overall or architecture-level schedule. Using an architecture-level schedule to monitor schedule risks would better position SDA and stakeholders to understand earlier how schedule changes affect SDA’s progress in delivering capabilities. In addition, the Department of Defense (DOD) does not know the life-cycle cost to deliver missile warning and tracking capabilities because it has not created a reliable cost estimate. SDA required limited cost data from contractors for tranches 1 and 2. Requiring more complete and frequent cost data moving forward would enable DOD to develop reliable cost estimates for future tranches. Why GAO Did This Study DOD is developing large constellations of satellites for missions that include missile warning and tracking. SDA’s effort—known as the Proliferated Warfighter Space Architecture—plans to have at least 300-500 satellites in low Earth orbit. This constellation is expected to cost nearly $35 billion through fiscal year 2029. Given the design life of the satellites, each one must be replaced about every 5 years. A Senate report contains a provision for GAO to assess DOD’s efforts to develop these capabilities. GAO’s report (1) describes SDA’s efforts to develop and deliver missile warning and tracking capabilities; (2) identifies risks SDA faces delivering these planned capabilities; (3) assesses aspects of SDA’s requirements process; and (4) evaluates the extent to which SDA is meeting schedule milestones and cost estimates. GAO reviewed relevant program, DOD, and contractor documents; assessed SDA’s schedule and cost estimates against best practices; conducted site visits to a ground operations center, the Boulder Ground Innovation Facility, which analyzes satellite data, and seven contractor sites; and interviewed SDA and DOD officials and three combatant commands.

What GAO Found Shared decision-making agreements with federal agencies enable Tribes to provide substantive, long-term input into natural and cultural resource management decisions for public lands. In treaties, Tribes ceded millions of acres of their territories to the federal government in exchange for certain commitments. Many of these areas are now public lands. Agencies committed in 2022 to ensure Tribes play an integral role in deciding how to manage federal natural resources. These agencies include the Departments of Agriculture, Commerce, and the Interior and their components, such as Agriculture’s Forest Service and Commerce’s National Oceanic and Atmospheric Administration (NOAA). GAO identified 11 features that strengthen shared decision-making agreements, including a commitment to seeking consensus and a clearly outlined dispute resolution process. Fully incorporating these 11 features into policies would better position agencies to strengthen shared decision-making. Agency and tribal officials GAO interviewed identified factors that facilitated agreement development, including having certain legal authorities. For example, the Indian Self-Determination and Education Assistance Act, as amended, authorizes eligible Tribes to assume administration of certain Interior programs through a self-governance agreement. However, the Forest Service and NOAA’s Office of National Marine Sanctuaries are not authorized to enter into this type of agreement, even though they manage natural resources similar to Interior. Providing these agencies a similar authority would allow for increased tribal input into management decisions, consistent with current administration priorities. Factors That Agency and Tribal Officials Said Facilitated or Impeded Development of Shared Decision-Making Agreements Agency and tribal officials also identified factors that impeded development of agreements, including limited agency understanding of legal authorities and incomplete guidance. Agencies have taken steps to address these factors, such as training staff working with Tribes. However, in light of significant federal workforce reductions that began in 2025, agencies have not conducted workforce planning to assess their capacity related to developing agreements. Doing so could enable better understanding of how to allocate agencies’ limited resources, address any skill gaps, and make strategic use of partnerships with Tribes. Why GAO Did This Study Federal agencies manage public lands, including national forests and parks, that are Tribes’ ancestral territories. Public lands retain special significance and importance to Tribes. Agencies collaborate with Tribes when meeting their missions and to fulfill unique federal trust and treaty responsibilities. GAO was asked to examine issues related to agencies developing shared decision-making agreements with Tribes. This report identifies features that strengthen shared decision-making agreements and examines factors that facilitated or impeded their development, as well as agency actions to address impediments. GAO reviewed agreements between federal agencies and Tribes, as well as federal laws, academic reports, and agency documents. GAO selected five shared decision-making agreements for in-depth analysis and interviewed the federal and tribal officials involved.

What GAO Found Of the 51 large, medium, and small airports included in GAO’s review, all but two small airports have some level of public transit service by bus or rail. Accessing airports by transit, instead of driving or taking taxis or rideshares, can help reduce congestion on increasingly busy airport roads. GAO found that 23 of the nation’s 31 large airports have rail service such as light or commuter rail. For 18 of these airports, the rail service is either located on airport grounds or off-site but connected by an air train that moves passengers on dedicated tracks. The remaining five large airports have rail service located off the airport grounds but connected by a free bus. The 20 selected medium and small airports generally have bus service from the airport curb to the local downtown. Large Hub Airports with Transit Rail Service (such as light or commuter rail) Note: Includes large hub airports per Federal Aviation Administration 2023 passenger boarding (enplanement) data. Use of transit by passengers and airport and airline employees varies widely across airports. Transit use ranged from 4 percent to 19 percent for the 12 airports for which GAO identified reports on passengers’ mode of transport. For employees, two large airports GAO visited reported that 17 percent and 19 percent of surveyed employees used public transit. Meanwhile an estimated 4 percent of airport and airline employees nationwide used public transit to commute, according to GAO’s analysis of Census data. Factors that influence individuals’ transit decisions include cost, travel time, and familiarity with transit options, according to Transit Cooperative Research Program reports and stakeholders GAO interviewed. In addition, people with disability consider factors such as availability of elevators or accomodations for mobility aids. Employees may also consider the availability of parking or transit benefits and transportation modes that match their work shifts, which often begin early in the morning. Some airports have begun to implement transportation demand management (TDM) strategies to promote the use of existing transit options. TDM broadly refers to efforts to reduce congestion and vehicle-related emissions. Five airports GAO visited were implementing TDM strategies, such as additional signage or advertising of transit options, or offering incentives, such as reduced cost transit. Although airports are implementing TDM strategies for passengers and employees, some are prioritizing strategies for employees who may be more willing to shift to transit due to their familiarity with the airport. Two airports GAO visited set, and plan to assess, transit use goals for their TDM strategies. Why GAO Did This Study Millions of passengers and employees travel to and from U.S. airports daily. Increased air travel demand has renewed concerns about congestion on roads to airports. Some airports and transit agencies have implemented TDM strategies to increase transit capacity or the use of existing transit to relieve congestion. The Federal Aviation Admministration (FAA) Reauthorization Act of 2024 includes provisions for GAO to assess the extent to which U.S. commercial airports are accessible by transit and the TDM strategies that airports are implementing. This report addresses, among other things, (1) public transit availability at selected U.S. airports; (2) passenger and employee use of public transit to access airports and the factors that influence their decisions to do so; and (3) TDM strategies selected large airports are implementing and plans by the airports to assess the effects of these strategies. GAO reviewed airport websites and conducted literature searches to identify documentation on transit options and use for 51 airports—all 31 large-hub airports and a random selection of 20 medium-hub and small-hub airports based on 2023 FAA enplanement data. GAO contacted all 51 airports to confirm this information was accurate. GAO also analyzed 2019-2023 Census data on employee commutes. GAO reviewed Department of Transportation (DOT) guidance and interviewed officials from DOT and nine stakeholder organizations selected to represent a range of perspectives. GAO visited five large airports that recently implemented projects to increase transit capacity, were implementing TDM strategies, or both. At each airport, GAO interviewed airport and transit agency officials and other stakeholders. For more information, contact Andrew Von Ah at VonahA@gao.gov.

What GAO Found Within U.S. Immigration and Customs Enforcement (ICE), the Shadow Wolves program operates on the Tohono O’odham Nation reservation in Sells, Arizona. In January 2024, GAO recommended that ICE define the mission and goals of the program, with input from the Tohono O’odham Nation. GAO also recommended that, ICE determine the staffing needs for the program on the Tohono O’odham Nation reservation, to include the skills and number of positions necessary. ICE concurred with the recommendations. In July 2024, ICE defined the program’s mission. However, ICE had not discussed the mission and goals of the program with the Tribe as of September 2025. In addition, ICE’s defined goals for the program do not align with the program’s mission or describe the results it hopes to achieve. Further, though ICE has defined staffing goals for the program, it has not yet performed a workforce analysis to determine the program’s staffing needs, including the number and type of personnel the unit needs to meet operational demands. GAO maintains that defining operational goals linked to the program’s mission with input from the Tohono O’odham Nation can better position ICE to ensure that operations achieve desired outcomes and ensure that ICE and the Tohono O’odham Nation have a common understanding of the program’s mission. Clearly defining the Shadow Wolves program mission and establishing operational goals are particularly important in light of continued differing perspectives and lack of clarity on the mission and activities of the program on tribal lands. The number of Shadow Wolves has declined over time as shown in the figure below. In January 2024, GAO recommended that ICE update its October 2022 Shadow Wolves recruitment strategy to include measurable goals, timelines, and milestones, and develop a succession plan to address upcoming retirements. ICE concurred with these recommendations and has taken steps to recruit Shadow Wolves, such as posting a job announcement seeking applications for Shadow Wolves personnel in September 2025. While this is a positive step, GAO maintains that ICE should also (1) develop and document measurable goals, timelines, and milestones so that officials can review progress of their recruitment efforts and make any needed adjustments and (2) develop a succession plan to better ensure that experienced Shadow Wolves will be available to train new recruits. Number of Shadow Wolves, Calendar Years 2003 to 2025 In January 2024, GAO also recommended that ICE develop criteria for evaluating possible additional Shadow Wolves locations. ICE concurred with this recommendation and has taken some steps to implement it. In July 2024, it broadly defined elements that would enable it to select new locations, including: the willingness of partnering Tribal Nations, levels of criminal activity, and the availability of funding. However, ICE had not detailed how it will apply these broad criteria to selecting potential locations. As of August 2025, ICE officials said expansion efforts had been placed on hold due to a lack of funding for Shadow Wolves positions outside of Sells, Arizona. GAO maintains that, moving forward, developing criteria for evaluating and selecting expansion locations could help ensure that ICE evaluates locations consistently while improving transparency of the process. Why GAO Did This Study About 62 miles of the U.S. southwest border is located on the Tohono O’odham Nation reservation, which may be vulnerable to illicit cross-border activity. The Shadow Wolves program began operations in 1974 to address the illegal smuggling of controlled substances from Mexico to this reservation in Arizona. The unit currently operates within ICE’s Homeland Security Investigations (HSI). The program’s employees—known as “Shadow Wolves”—must be certified to have at least one-quarter American Indian ancestry from a federally recognized Tribe. The Shadow Wolves Enhancement Act, which became law in April 2022, includes a provision for GAO to assess the effectiveness of ICE’s strategy for the Shadow Wolves program not later than 1 year after receiving the strategy, and annually for the following 2 years. GAO issued its first report related to this provision in January 2024 and the second report in November 2024. This report assesses ICE’s (1) efforts to define the mission of the Shadow Wolves program and conduct workforce planning to understand the skills and positions necessary to meet mission needs, (2) strategies for recruiting and retaining Shadow Wolves, and (3) planning efforts to expand the program to other tribal lands. GAO conducted interviews with ICE and HSI headquarters officials, HSI field officials, and each member of the Shadow Wolves unit regarding program operations, mission, retirement plans, and expansion planning efforts.

What GAO Found GAO performed agreed-upon procedures at the Senate Disbursing Office (SDO) consisting of (1) identifying the authorized and reported amount of cash accountability for the Secretary of the Senate, (2) counting all cash items that support the cash accountability level of the SDO, (3) counting all noncash items that support the cash accountability level of the SDO, and (4) agreeing the total amount counted to the authorized amount and reported amount of cash accountability. The total value of cash and noncash items counted on September 22, 2025, agreed to the cash accountability level that the SDO authorized and reported, except for a difference of $3.31, which SDO officials stated is a known overage that has accumulated over time. The Secretary of the Senate is responsible for the sufficiency of these agreed-upon procedures to meet its objectives, and GAO makes no representation in that respect. The report provides the details on the agreed-upon procedures and the results of performing each of the procedures. In commenting on a draft of this report, the Secretary of the Senate in an email response stated that she had no comments on the report. Why GAO Did This Study The Chair and Ranking Member of the U.S. Senate Committee on Rules and Administration requested that GAO perform procedures on the cash accountability level that the SDO authorized and reported. The cash accountability level represents the value of cash and noncash items for which the Secretary of the Senate, as disbursing officer for the U.S. Senate, is responsible. For more information, contact Cheryl E. Clark at clarkce@gao.gov.

What GAO Found U.S. Customs and Border Protection (CBP) has implemented the Customs Trade Partnership Against Terrorism (CTPAT) program as part of a layered, risk-informed approach to supply chain security. CTPAT provides private companies in the supply chain with certain benefits (e.g., reduced cargo inspections or expedited processing) in exchange for voluntary adherence to additional security requirements. CBP monitors CTPAT participants’ involvement in security incidents, such as smuggling cargo that contains narcotics, which could result in participants’ suspension or removal from the program. According to CBP data, about 4 percent of CTPAT program participants were involved in one or more security incidents. Specifically, 480 CTPAT program participants were involved in approximately 2,200 security incidents (about 1 percent of all incidents) in the cargo supply chain in fiscal years 2020 through 2024. The most common type of security incident that participants were involved in were drug-related, accounting for just under 50 percent of all incidents. However, CBP does not collect complete data on security incidents involving program participants, such as on incidents self-reported by participants. Ensuring data on CTPAT security incidents are complete and consistent would position CBP to better identify and understand possible risks to the cargo supply chain. Customs Trade Partnership Against Terrorism (CTPAT) Participant Involvement in Security Incidents That Occurred in the Cargo Supply Chain, Fiscal Years 2020-2024 Note: These data are estimates. While GAO determined that these data are sufficiently reliable to report approximate numbers, limitations in these data exist. For more details, see GAO-26-107893. The total number of CTPAT participants is as of August 2025. CBP did not consistently investigate security incidents involving CTPAT participants or take enforcement actions against them. For example, GAO found several cases where CBP documented that they would not investigate a security incident involving a program participant and did not take enforcement action against them, but did not explain these decisions. In one instance, CBP did not take enforcement action against a participant involved in a security incident in 2021. This same participant was subsequently involved in dozens of additional incidents before it was suspended 2 years later. Without clear, documented decision criteria to determine appropriate enforcement actions against CTPAT participants involved in security incidents, CBP risks leaving the nation and supply chain vulnerable to additional security incidents. Why GAO Did This Study The U.S. economy depends on the quick and efficient flow of millions of tons of cargo each day throughout the global supply chain. However, U.S.-bound cargo can present security concerns, as there is a risk that terrorists could use cargo shipments to transport a weapon of mass destruction or other contraband into the U.S. The Customs Trade Partnership Against Terrorism Pilot Program Act of 2023 includes a provision for GAO to assess the effectiveness of the program. This report examines (1) the number and types of security incidents that occurred in the cargo supply chain in fiscal years 2020 through 2024 and the extent to which CTPAT participants were involved; (2) enforcement actions against CTPAT participants involved in security incidents during this timeframe; and (3) the extent to which CBP meets certain statutory requirements in its management of the CTPAT program. GAO analyzed CBP data on CTPAT participant involvement in security incidents and CTPAT’s enforcement actions against these participants in fiscal years 2020 through 2024. GAO also reviewed CBP procedures for addressing program participant involvement in security incidents and interviewed CBP headquarters officials.

What GAO Found The First Step Act of 2018 (FSA) required the Federal Bureau of Prisons (BOP) to assess incarcerated people’s risk of recidivism and their needs, that if addressed, may reduce that risk. BOP did not conduct all assessments within required time frames (28 days for initial and 90 or 180 days for reassessments) for various reasons, including technology issues. For example, BOP conducted initial risk assessments within required time frames for about 75 percent of the 57,902 incarcerated people who entered a BOP facility from June 1, 2022, to March 30, 2024. For the needs it is responsible for assessing, BOP conducted 69 to 95 percent of this cohort’s assessments within required time frames. BOP plans to enhance an existing application to ensure assessments are conducted as required, in response to a 2023 GAO recommendation. BOP officials said they offer FSA programs and activities that address all 13 needs (e.g., substance use). However, BOP does not have accurate program data because, for example, staff used different methods to record when an incarcerated person declined to participate in a recommended program. GAO also found inaccuracies in program participation data, which BOP officials attributed to data entry errors. Without accurate data, BOP cannot determine if it offers sufficient programming to meet the needs of its incarcerated population. Eligible incarcerated people who agree to participate in programs, among other things, may earn time credits toward early transfer to supervised release and prerelease custody (i.e., home confinement or residential reentry center). GAO found that BOP generally applied all time credits toward supervised release but not for prerelease custody. BOP implemented new planning tools in 2024 and 2025 to help staff anticipate upcoming transfers to prerelease custody and ensure incarcerated people receive their FSA time credits. GAO has ongoing work examining BOP’s efforts to forecast capacity needs and provide sufficient residential reentry center resources. People Incarcerated in a BOP Facility on March 30, 2024 that Transferred or Could Have Transferred to Prerelease Custody From March 31, 2024–December 31, 2024 The Department of Justice (DOJ) has not been able to fully address all FSA annual reporting requirements because not enough time has passed since the agency implemented FSA to determine certain things, such as recidivism rates. This requirement expired in 2025, and absent congressional actions, DOJ no longer has to submit a report to Congress. Without such information, Congress may be hindered in its decision making regarding the FSA. Why GAO Did This Study In 2024, BOP released approximately 42,000 people from federal prisons. Approximately 45 percent of people released from federal prison recidivate (are re-arrested or return within 3 years of their release), according to BOP. Under the FSA, BOP is to help reduce recidivism by assessing a person’s recidivism risk and needs and providing programs and activities to address their needs. The FSA allows eligible people to earn time credits that may reduce their time in prison. The FSA includes a provision for GAO to assess certain FSA requirements. This report examines the extent to which BOP conducted risk and needs assessments; offered programs and activities; and applied FSA time credits. This report also examines the extent to which DOJ met FSA reporting requirements, among other objectives. GAO analyzed BOP data from January 2022 through December 2024 for people in BOP custody as of March 30, 2024. GAO analyzed DOJ and BOP policies, guidance, and reports and interviewed officials at BOP’s Central Office and three regional offices. GAO also interviewed staff and incarcerated persons at four facilities. GAO selected facilities based on factors such as geographic location and security level.

What GAO Found The Department of Defense (DOD) identified over $400 million in fiscal year 2025 for the Junior Reserve Officers’ Training Corps (JROTC) program. JROTC aims to develop citizenship, service to the United States, and personal responsibility in students. In 2025, there were more than 6,000 JROTC instructors across all 50 states and in DOD schools overseas. The military services met five out of six leading practices for recruiting JROTC instructors such as monitoring instructor vacancies and recruiting year-round, but did not consistently establish or track metrics. Establishing standardized metrics would better position the military services to evaluate the effectiveness and the success of JROTC recruiting efforts across the entire JROTC program. Assessment of How Military Services Met Leading Practices for Recruiting Junior Reserve Officers’ Training Corps (JROTC) Instructors Neither DOD nor the Department of Homeland Security (DHS) are positioned to determine the effectiveness of the new JROTC instructor pay scale on JROTC instructor recruiting and retention without a plan and metrics to evaluate its effectiveness. For example, JROTC instructors GAO spoke to or surveyed had mixed opinions about the new JROTC pay scale, including concerns that the pay scale was lower than the legacy pay scale in their high cost of living areas. Defining metrics to evaluate the new pay scale would provide the military services with improved oversight and visibility about the effectiveness of the new pay scale in supporting JROTC program goals, to include recruiting and retaining JROTC instructors. Why GAO Did This Study The military services—Army, Air Force, Navy, Marine Corps, and Coast Guard—under DOD and DHS are responsible for recruiting and certifying JROTC instructors. Legislation expanded eligibility requirements for JROTC instructors in fiscal year 2023 and modified the JROTC pay system in fiscal year 2024 to help the military services address challenges recruiting JROTC instructors. The Senate Report 118-58 accompanying a bill for the National Defense Authorization Act for Fiscal Year 2024 includes two provisions for GAO to review the JROTC program. This report evaluates the extent to which 1) the military services followed leading practices for recruiting; and 2) the new JROTC instructor pay scale supports recruitment and retention needs, among other issues. GAO interviewed agency officials and reviewed DOD and military service policy and guidance for the JROTC programs. GAO also conducted a survey of 95 JROTC instructors and received 46 responses for a response rate of 47 percent. The results of this survey are not generalizable. GAO also interviewed JROTC instructors at 28 high schools that were selected based on military service and geographic representation.

What GAO Found U.S. Customs and Border Protection (CBP), through its components U.S. Border Patrol and Office of Field Operations, detains individuals who unlawfully enter the U.S. at short-term holding facilities. CBP personnel process individuals and determine the next course of action, such as transferring them from custody or removing them from the country. For the past decade, CBP has used contracted medical personnel at facilities along the southwest border to provide health screenings and treatment of basic medical conditions to individuals in custody. Contracted Medical Personnel Area at U.S. Customs and Border Protection Facility GAO found that CBP developed policies and guidance for providing medical care to individuals in custody but has not consistently implemented them. For example, CBP requires some populations, such as children, pregnant individuals, and adults who indicated they might have an illness or injury, to receive a basic physical exam known as a medical assessment. Although CBP introduced new guidance and improved the percentage of individuals who received medical assessments, GAO found that some individuals still did not receive assessments, as required. For example, 57 percent of adults with a potential illness or injury and 20 percent of pregnant individuals did not receive medical assessments from August 2023 to August 2024, as required. Without an oversight mechanism to ensure that people in custody receive the required medical assessments, CBP may not be aware of medical needs and cannot ensure it takes the appropriate next steps for any necessary medical care. GAO also found that CBP and contracted medical personnel did not consistently implement additional care requirements for individuals in custody who had serious injuries or illnesses (i.e., those who were medically high-risk). For example, from August 2023 to August 2024, contracted medical personnel did not conduct medical monitoring checks required for medically high-risk adults and children approximately 40 percent of the time. In July 2025, CBP developed new tools to inform its oversight efforts, but did not explain how it will use them to systematically assess whether medically high-risk individuals received their medical monitoring checks on time. Developing and implementing a mechanism to monitor this requirement and others would help CBP better ensure these individuals receive required care, and personnel are monitoring their conditions. CBP did not consistently provide medical records and prescriptions—referred to as medical summary forms—as required, to individuals with medical issues leaving CBP custody. By not providing the medical summary forms, CBP can create challenges with continuity of care. GAO also found CBP’s oversight reports did not include data from facilities that do not have contracted medical personnel. These facilities send individuals to local hospitals or urgent care facilities for medical care, including medical assessments. Without these data, CBP cannot ensure all individuals in custody received required medical assessments to decrease the risk of adverse medical outcomes. Moreover, GAO’s analysis showed that CBP did not consistently manage or oversee its medical services contracts. For example: CBP did not clearly specify minimum staffing levels it requires of the contractor in the medical services contract. As such, CBP cannot ensure it has sufficient contracted medical personnel to meet its needs for providing medical care at its facilities; and CBP has not analyzed the costs and benefits of providing certain types of care through contracted medical personnel versus sending individuals to local hospitals. Performing a cost benefit analysis gives CBP the opportunity to identify potential cost savings. GAO also identified gaps in CBP’s contract oversight, which could be remedied with a contract administration plan. For example, GAO found that CBP officials with contract oversight duties did not visit CBP facilities to directly observe performance under the medical services contracts until 2024. While CBP received reports from the contractor, it did not have metrics to measure contractor performance. Without a plan that includes roles and responsiblities and performance metrics, CBP is missing opportunities to obtain a more complete and quantifiable understanding of contractor performance. CBP did not always submit contractor past performance evaluations as required. Ensuring that CBP complies with the requirements to submit these evaluations annually and at the end of the performance period would allow CBP to use more current information in its ratings. Such compliance would also better position officials to make informed decisions when awarding future medical services contracts. U.S. Customs and Border Protection (CBP) Submission of Contractor Past Performance Evaluations for the Medical Services Contracts as of August 2025 GAO found that CBP met many of its medical quality management program requirements in overseeing the quality of care that contracted medical personnel provide. However, CBP does not have guidance that includes clear responsibilities for the Office of the Chief Medical Officer and did not track corrective actions taken after some medical events. Doing so would help CBP ensure the safety and quality of all medical services provided to individuals in CBP custody. Why GAO Did This Study From fiscal years 2021 through 2024, CBP encountered about 2 million individuals along the southwest border each year, resulting at times in overcrowding in its facilities. In May 2023, the death of an 8-year-old girl in CBP custody raised concerns about CBP's provision of medical care. This report focuses on the southwest border and examines the extent to which CBP has (1) developed and implemented policies for providing medical care for individuals in its custody and (2) managed its contracts for medical services and provided oversight of its contractor. To conduct this audit, GAO reviewed CBP documentation, including medical care guidance and other documentation related to screening and assessing individuals for medical issues. GAO observed CBP and contractor implementation of policies, challenges, and management of medical care at 31 CBP facilities along the southwest border, selected among areas with higher encounters. Additionally, GAO analyzed data for fiscal years 2021 through 2024 (the most recent available at the time of our review) to assess the extent to which CBP components implemented its medical policies, its guidance, and federal internal control standards. GAO reviewed CBP contract file documentation for the three medical services contracts in this same period. GAO compared documentation of monitoring and performance activities against contract requirements, agency policies, and procurement regulations. GAO interviewed CBP officials in headquarters and field locations to gain their perspectives on its provision of medical care. GAO also interviewed contracting officials regarding their efforts and responsibilities in managing and overseeing the contractor.

What GAO Found The National Weather Service (NWS) and other government entities use two types of emergency alerts to inform the public about certain weather events: Wireless Emergency Alerts and messages sent through the Emergency Alert System. Wireless Emergency Alerts are text-like messages delivered to mobile phones and devices. NWS provides all of its Wireless Emergency Alerts in English and Spanish. While other alerting authorities, such as state and local governments, may choose to translate alerts into Spanish, they provided most of their Wireless Emergency Alerts in English only from December 2019 through December 2024 (see fig.). These state and local alerts may include essential information that differs from what NWS provides, such as evacuation orders. The Emergency Alert System delivers messages through radio and television. NWS provides most of its Emergency Alert System messages in English only, in part because the agency has few of the radio transmitters that broadcast in other languages. Because broadcasters have discretion over whether to air the messages, agency data are limited on the languages in which these messages are broadcast on television and radio. NWS and other federal agencies that have roles in emergency alerting face challenges related to providing alerts in additional languages. These challenges include the complexity of making changes to alerting systems and technical and resource challenges. In addition, state and local government agencies may not have the funding, staff expertise, or other resources needed to create alerts in languages other than English. Federal agencies have taken some steps to make weather alerts available in additional languages. For example, the Federal Communications Commission has adopted requirements for wireless carriers to support template Wireless Emergency Alerts in English and 14 other languages. These requirements will become effective in 2028. In addition to weather alerts, NWS issues weather products such as forecasts, watches, and warnings through other means. NWS has been using artificial intelligence (AI) to translate some of these weather products into five languages—Spanish, Simplified Chinese, Vietnamese, French, and Samoan. About a quarter of its weather forecast offices and the National Hurricane Center were participating in this project as of December 2025. Officials said using AI could help NWS disseminate information in other languages more quickly and at lower cost. NWS’s AI language translation project could play a key role in expanding the accessibility of weather products, in turn helping reduce risks to public health and safety during extreme weather events. NWS has developed a plan for expanding the translation of its weather products using AI and has stated it intends to continue these efforts. However, NWS has not documented measurable performance goals, resource needs, or challenges for the project and has not updated its plan for the longer term. NWS also faces challenges providing translated weather products, including staff capacity, funding, and technical limitations to disseminating these products. Incorporating certain key practices GAO has identified—such as developing measurable performance goals and identifying resource needs and strategies to address internal and external challenges—would help NWS better manage the AI language translation project, plan for its future, and communicate resource needs to Congress. Why GAO Did This Study An estimated 26 million people in the U.S. have limited ability to understand English, according to U.S. Census Bureau data. These individuals may face greater risk during extreme weather events if information is not provided in a language they can understand. When individuals cannot understand weather warnings or evacuation instructions, it can slow emergency response efforts, create confusion, and jeopardize public safety. House Report 117-395 includes a provision for GAO to review the emergency alert systems used for weather alerts and assess the ability of relevant federal agencies to provide weather alerts and other weather products in languages other than English. This review provides information on the languages in which weather alerts and other weather products are available, challenges to providing this information in languages other than English, and actions that could help federal agencies better communicate weather information in other languages. GAO reviewed relevant laws, regulations, executive orders, and agency documents and analyzed FEMA data on Wireless Emergency Alerts sent from 2019 through 2024. GAO also interviewed agency officials and representatives from state and local alerting authorities, industry, and advocacy groups and community organizations.

What GAO Found GAO found (1) the Federal Housing Finance Agency's (FHFA) financial statements as of and for the fiscal year ended September 30, 2025, are presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles; (2) although internal controls could be improved, FHFA maintained, in all material respects, effective internal control over financial reporting as of September 30, 2025; and (3) no reportable noncompliance for fiscal year 2025 with provisions of applicable laws, regulations, contracts, and grant agreements GAO tested. In its written comments on a draft of this report, FHFA stated that it is pleased to accept GAO's unmodified opinion on its financial statements and maintains its commitment to strong internal controls and reliable financial reporting. Why GAO Did This Study The Housing and Economic Recovery Act of 2008 established FHFA as an independent agency empowered with supervisory and regulatory oversight of the housing-related government-sponsored enterprises: the Federal National Mortgage Association (Fannie Mae), the Federal Home Loan Mortgage Corporation (Freddie Mac), the 11 Federal Home Loan Banks, and the Office of Finance. This act requires FHFA to prepare financial statements annually and requires GAO to audit the agency's financial statements. In accordance with the act, GAO audited FHFA's financial statements. For more information, contact Anne Sit-Williams at sitwilliamsa@gao.gov.

What GAO Found Telework use decreased following the end of the COVID-19 pandemic emergency and the President’s January 2025 Return to In-Person Work memorandum among three federal agencies GAO reviewed: the Department of the Interior’s Bureau of Indian Affairs (BIA), the Social Security Administration (SSA), and the Department of State’s Bureau of Consular Affairs (CA). Officials at all three agencies told us telework likely had some effect on operations. For instance, SSA and CA had staff who had left or considered leaving for other organizations with more telework availability. They told us that other factors, such as a lack of qualified applicants and increased workloads, led to recruiting challenges. Officials at SSA told us telework was an important recruitment tool. GAO found, however, that SSA is at risk of skills gaps in key occupations, in part because its employees are seeking greater telework flexibility elsewhere. These risks come at a time when SSA is seeking to substantially reduce the size of its workforce. GAO previously reported that it is critical for agencies to carefully consider how to strategically downsize their workforces and maintain the staff resources to carry out their missions before implementing workforce reduction strategies (GAO-18-427). Agency officials said SSA has a human capital plan it can update to help guide staffing decisions, but has not done so because they are focused on responding to administration workforce priorities such as implementing skills-based hiring. However, without developing or updating a human capital plan, SSA may lack the information needed to ensure it has the mission-critical staff necessary to provide timely public service. Officials at all three agencies also told us factors other than telework contributed to problems in providing key customer services at times during fiscal years 2019 through 2024. For example, BIA attributed delays in providing probate services to Tribes and their citizens to factors such as staffing shortages and funding issues. SSA officials cited a learning curve related to a new disability case processing system and a substantial increase in the volume of submitted medical evidence as contributors to delays in processing disability claims. CA reported an unexpectedly large volume of applications and high rates of attrition that contributed to substantial delays in 2023 passport processing. However, none of the agencies had evaluated their telework programs to determine their effects on its performance and identify problems, a key practice for successful telework programs. Officials said they had not done so because they were unsure how to or were not required to conduct such evaluations. GAO determined that it was not practical for BIA and CA to evaluate their telework programs now because their staff can no longer use regular telework. Since some of SSA’s program offices continue to regularly use telework, it remains important for the agency to evaluate its telework program to identify any problems or issues and make appropriate adjustments. Why GAO Did This Study Federal agencies have used telework to help accomplish their missions, maintain continuity of operations during emergencies, and recruit and retain employees. GAO was asked to review telework use at BIA, SSA, and CA. This report (1) summarizes how often the agencies’ staff teleworked from July 2019 through May 2025, and how the agencies’ telework programs changed following the President’s issuance of the Return to In-Person Work memorandum in January 2025; (2) describes the effects telework’s use had on the agencies’ operations and customer service; and (3) assesses the extent to which the agencies followed selected key practices for successful telework programs. For this report, GAO collected and analyzed the agencies’ telework data from July 2019 through May 2025. GAO reviewed and summarized agencies’ plans to change telework use before and after January 2025. GAO analyzed agency performance information, and compared agencies’ activities with selected key telework practices identified in GAO-21-238T. GAO also conducted interviews and 11 discussion groups with agency staff.

What GAO Found U.S. Customs and Border Protection (CBP) uses non-intrusive inspection (NII) systems, such as X-ray machines, to inspect vehicles and travelers at land ports of entry (POE). As part of this process, CBP officers use large-scale NII systems to scan entire vehicles and their contents. These scans produce images that CBP officers review to help detect illegal drugs or other contraband. In 2020, to increase vehicle scans, CBP began deploying these systems to preprimary inspection areas—before a traveler is interviewed by a CBP officer. Previously, NII systems were generally used only when an officer determined that further inspection was required after the interview. Non-Intrusive Inspection Systems Deployed in Preprimary Inspection Areas at Mission, Texas (left), and Laredo, Texas (right) CBP uses performance data to help ensure large-scale NII systems are operational, but it has not defined all key performance parameters for NII systems. For one key parameter, CBP reports and uses data on the percentage of time that large-scale NII systems are available for operational use. However, CBP has not clearly defined or reported results for its other two key parameters related to inspection rate and examination of containers and cargo. For example, CBP’s inspection rate parameter requires 100 percent inspection of high-risk commercial vehicles and container cargo, but CBP has not clearly defined the term “high risk” or the meaning of maintaining 100 percent inspection of targeted containers, cargo, and international mail. Clearly defining and reporting results for all of its key performance parameters would help CBP manage the NII program and inform future procurement decisions. CBP has made progress deploying large-scale NII systems. As of February 2025, 52 of 153 planned systems were fully operational, nearly all at preprimary inspection areas. Deployments have cost more and taken longer than CBP estimated due to, for example, unexpected construction challenges. Congress directed CBP to develop a plan to achieve 100 percent scanning of commercial and passenger vehicles and freight rail at land POEs using large-scale NII by 2027. CBP estimated that it would need 434 large-scale NII systems to achieve this goal at the northern and southwest borders—281 of which have not yet been procured, including 62 for the southwest border. However, CBP’s plans for the southwest border omit systems to scan passenger vehicles at nine crossings, including three of its highest-traffic locations that account for nearly 40 percent of passenger vehicle traffic at the southwest border in fiscal year 2024. Without these crossings in its plan, CBP risks entry of many unscanned passenger vehicles, hampering its ability to prevent illegal drugs and other contraband from entering the United States. Why GAO Did This Study Since 2019, CBP has received over $2 billion that it has used to deploy additional NII systems to land POEs, which are a key drug smuggling route. This testimony summarizes a report GAO published in September 2025 in response to a request to review the implementation and effectiveness of CBP’s NII program entitled Land Port Inspections: CBP Should Improve Performance Data and Deployment Plans for Scanning Systems. This testimony focuses on three areas: (1) how CBP assesses large-scale NII performance, (2) the status of large-scale NII system deployments, and (3) CBP’s plans for future large-scale NII system deployments. To inform that report, GAO analyzed NII program documentation, including inspection procedures, performance data, and deployment plans, and interviewed program officials. GAO also interviewed and observed CBP officers conducting inspections at land POEs where large-scale NII systems had been deployed in preprimary inspection areas.

What GAO Found The federal government gives grants to individual scientists and groups of scientists through their respective research institutions, supporting both basic and applied research. Federal funding agencies must have research security policies in place to ensure that such research is free of improper foreign influence. Such influence includes, for example, malign talent recruitment activities by foreign governments or misappropriation of research findings. Agencies are required to carry out research security policies in a manner that does not discriminate against scientists based on their race, ethnicity, or national origin. The Departments of Defense (DOD) and Energy (DOE), National Aeronautics and Space Administration (NASA), National Institutes of Health (NIH), and National Science Foundation (NSF) have applied safeguards to varying degrees in their research security programs to help prevent discrimination. Extent to Which Selected Agencies Have Adopted Safeguards to Prevent Discrimination While Addressing Improper Foreign Influence   Transparent improper foreign influence review processes Collection and use of demographic data to assess agency processes Multiple levels of review in improper foreign influence reviews Training agency staff in non-discrimination in improper foreign influence reviews Leadership commitment to non-discrimination in improper foreign influence reviews Department of Defense ◒ ◯ ● ◒ ◯ Department of Energy ◒ ◯ ● ◒ ● National Aeronautics and Space Administration ◒ ◯ ● ◯ ◯ National Institutes of Health ● ◒ ● ◯ ● National Science Foundation ◒ ◯ ● ● ● ● = Fully adopted ◒ = Partially adopted or plan in development; ◯ = Not adopted Source: GAO analysis of selected agencies’ documents and interviews. | GAO-26-107544 While NASA and NSF documented their processes for identifying and addressing improper foreign influence, they have not documented their risk mitigation processes. By clearly documenting risk mitigation processes, agencies can create shared expectations with research institutions and researchers about how these processes are implemented fairly and without discrimination. Additionally, DOD, DOE, NASA, NIH, and NSF have not assessed their research security processes to determine whether the safeguards the agencies have in place provide reasonable assurance that discrimination will not occur. By assessing their current safeguards, agencies can provide greater assurance that discrimination will not occur and may identify additional safeguards appropriate to the agency. Why GAO Did This Study As a global leader in scientific research, the U.S. has benefited from recruiting international talent and international collaborations. However, concerns have grown about improper foreign influence in federally funded research. While agency identification of improper foreign influence is critical to preventing fraud in taxpayer funded research, some stakeholders raised concerns that agencies were discriminating against certain demographic groups when reviewing grants. GAO was asked to examine whether federal agencies ensure that research security reviews are free from discrimination. This report assesses the extent to which selected agencies have implemented safeguards to prevent discrimination in research security processes. GAO selected the five agencies that funded the highest amounts of extramural research and reviewed agency documents and published literature. GAO also performed statistical analysis on data obtained from one agency to assess differences among improper foreign influence cases and interviewed agency officials and representatives of universities and civil society organizations.

What GAO Found In May 2023, the Department of Defense (DOD) discontinued its MyTravel initiative and directed all users to return to the previous Defense Travel System (DTS). Based on information from DOD, the department’s abandonment of MyTravel was due to four primary factors: lack of a central leadership authority and advocate for change; insufficient program management practices; inadequate outreach to understand evolving stakeholder needs; and inconsistent inclusion of key users in gathering and tracking program requirements. While DOD is reinvesting in DTS to add key capabilities, the department has not yet fully addressed applicable leading practices related to the primary factors of MyTravel's abandonment (see figure). These practices include statutory department-specific business system requirements. Overall, DOD fully addressed 12 practices, partially addressed six, and did not address four. Of particular concern are the three program management and five requirements management practices that are not yet fully addressed. Until it fully implements these practices, DOD risks shortcomings in managing the program and in ensuring that users are involved in requirements gathering and tracking. Assessment of DOD’s Defense Travel System Against Selected Leading Practices and Statutory Elements Related to the MyTravel System’s Abandonment Regarding overall system modernization, DOD has department-wide improvements underway. However, its policies and guidance for managing and directing these efforts do not fully address 11 of 23 leading practices and statutory requirements related to the above four factors. For example, the department has established a framework to monitor progress of selected programs but has not established a permanent leadership structure for the efforts or taken steps to ensure that programs fully align with department-wide goals and priorities. Without fully implementing these leading practices and statutory requirements, DOD can experience coordination issues and inconsistent execution in planning and making improvements to its business systems modernization efforts. Why GAO Did This Study DOD relies on its travel system to support mission-critical operations. DOD has faced multiple challenges in its many attempts to modernize this system, most recently through the abandoned MyTravel initiative. Similar challenges have kept DOD’s business systems modernization on GAO’s High-Risk List since 1995. GAO was asked to review the DTS modernization program and DOD’s overall business system modernization. This report examines (1) primary factors that caused DOD’s abandonment of MyTravel, (2) the extent to which DOD is following applicable leading practices in modernizing DTS, and (3) the extent to which DOD is following selected practices in its overall business systems modernization. To conduct this review, GAO analyzed DOD documentation related to MyTravel and identified leading practices for system modernization. GAO analyzed DOD efforts to modernize its travel system, as well as documentation related to departmentwide business system modernization efforts, against the leading practices. GAO also interviewed relevant DOD officials.

What GAO Found In January 2026, GAO identified 16 open recommendations under the purview of the Office of Personnel Management's (OPM) Chief Information Officer (CIO) from previously issued work. Each of these recommendations relates to a GAO High-Risk area: (1) Ensuring the Cybersecurity of the Nation or (2) Improving IT Acquisitions and Management. In addition, GAO has designated two of the 16 as priority recommendations. For example, GAO previously recommended that OPM fully implement all event logging requirements as directed by the Office of Management and Budget. Further, GAO recommended that OPM complete annual reviews of its IT portfolio in conjunction with the Federal CIO. GAO also recommended that OPM compare in-use software license inventories with information on purchased licenses to identify opportunities to reduce costs and better inform decision-making. The CIO's continued attention to these recommendations will help ensure the secure and effective use of IT at the agency. Why GAO Did This Study CIO open recommendations are outstanding GAO recommendations that warrant the attention of agency CIOs because their implementation could significantly improve government IT operations by securing IT systems, identifying cost savings, improving major government programs, eliminating mismanagement of IT programs and processes, or ensuring that IT programs comply with laws, among others. For more information, contact Nick Marinos at marinosn@gao.gov.

What GAO Found In January 2026, GAO identified 30 open recommendations under the purview of the National Aeronautics and Space Administration (NASA) Chief Information Officer (CIO), from previously issued work. Each of these recommendations relates to a GAO High-Risk area: (1) Ensuring the Cybersecurity of the Nation or (2) Improving IT Acquisitions and Management. For example, GAO previously recommended that NASA prepare and approve an organization-wide cybersecurity risk assessment. Further, GAO recommended that NASA fully implement all event logging requirements as directed by the Office of Management and Budget. In addition, GAO recommended that NASA develop an implementation plan with time frames to update its spacecraft acquisition policies and standards to incorporate essential controls required to protect against cyber threats. GAO also previously recommended that the agency complete annual reviews of its IT portfolio consistent with federal requirements. The CIO's continued attention to these recommendations will help ensure the secure and effective use of IT at the agency. Why GAO Did This Study CIO open recommendations are outstanding GAO recommendations that warrant the attention of agency CIOs because their implementation could significantly improve government IT operations by securing IT systems, identifying cost savings, improving major government programs, eliminating mismanagement of IT programs and processes, or ensuring that IT programs comply with laws, among others. For more information, contact Nick Marinos at marinosn@gao.gov.