What GAO Found Older adults and people with disabilities face financial decisions that can have lasting consequences for their financial well-being. They often must navigate government benefits, such as Social Security and Medicare; make housing decisions; manage retirement savings; and avoid fraudulent schemes. GAO found 24 examples of federal financial literacy programs and resources designed to help older adults and people with disabilities with financial decision-making. Examples include a curriculum for preventing elder financial exploitation, a website with information on employment for people with disabilities, and a hotline that provides information on retirement, disability, and other benefits. Federal Financial Literacy Programs for Older Adults and People with Disabilities The Financial Literacy and Education Improvement Act established the Financial Literacy and Education Commission—which comprises the heads of 24 federal agencies and entities—to improve financial literacy and education through coordinated federal efforts. It does so through working groups, public meetings, and coordination on financial literacy programs and resources. The Department of the Treasury and Consumer Financial Protection Bureau serve as the chair and vice chair, respectively, of the Commission, which primarily communicates information on its efforts through its annual reports to Congress. Of the 24 financial literacy programs GAO identified that serve older adults and people with disabilities, the Commission's five annual reports from fiscal years 2015 to 2022 included program outcome data for one. The reports contain similarly limited outcome information for other financial literacy programs. The Commission's national strategy highlights the importance of collecting data on the outcomes of financial education activities to assess their impacts and inform data-driven improvements. Further, GAO's prior work has shown that evidence-based policymaking is important for effective program management. Enhanced focus on outcome reporting for federal financial literacy efforts could provide the Commission and Congress with more robust information to facilitate oversight of federal financial literacy efforts. More information could also help member agencies assess program effectiveness and help Congress determine how agencies' efforts are meeting the needs of specific groups, such as older adults and people with disabilities. Why GAO Did This Study Financial literacy—the ability to make informed decisions and take effective actions regarding money—is essential to helping ensure the financial health and stability of individuals and families. Financial literacy is particularly important for older adults and people with disabilities. Many federal agencies promote financial literacy through programs and resources such as print and online materials. GAO was asked to report on federal financial literacy programs for older adults and people with disabilities. This report addresses (1) financial decisions older adults and people with disabilities face and federal resources available to help improve their financial literacy, and (2) how the Financial Literacy and Education Commission coordinates financial literacy efforts and reports program outcomes to Congress and the public. GAO reviewed agency strategic plans, annual reports, websites, and other materials, and interviewed representatives of federal agencies and relevant organizations, such as the AARP and National Disability Institute.

What GAO Found The COVID-19 pandemic disrupted the maritime shipping industry, causing congested ports, high demand for cargo space on ships, and volatile shipping rates. Selected shippers of hazardous materials (hazmat), which include chemicals and other types of cargo critical to the U.S. economy, told GAO they were particularly affected during the peak of the pandemic (2020 through 2022). All six hazmat shippers GAO interviewed said they had difficulty securing space on ships, and five said they experienced long delays. Shippers attributed these challenges to safety risks and additional requirements associated with hazmat, which made it less desirable for carriers to accommodate on their ships. GAO found that while hazmat imports and exports increased from 2018 through 2020, hazmat imports stagnated and exports decreased from 2020 through 2022. Hazmat imports increased almost 32 percent from 2018 through 2020, but grew less than 1 percent afterward. Hazmat exports increased 19 percent from 2018 through 2020 and declined by 7 percent afterward. Conversely, non-hazmat imports and exports grew at a higher rate during the pandemic, which carriers attributed to non-hazmat shippers paying higher shipping rates. Hazardous Materials Imports and Exports Transported on Cargo Ships in Twenty-Foot Equivalent Units, 2018–2022 The Federal Maritime Commission (FMC) is responsible for ensuring a competitive and reliable ocean transportation system for all U.S. shippers. Its oversight efforts include receiving complaints from shippers about carriers. FMC can use this information to respond to shippers' concerns and initiate investigations of carriers. However, GAO found several shortcomings in how FMC collects, manages, and uses complaint data: (1) FMC does not consistently capture certain details—such as type of cargo, whether cargo is hazmat, and incident location—which limits FMC's ability to analyze complaint trends; and (2) key FMC procedures for managing the data are out of date and incomplete. GAO also found that while FMC plans to modernize how it collects, manages, and uses information from complaints, it lacks a strategy to guide these efforts. Such a strategy could include key information on planned updates, such as goals, required investments, and expected outcomes. Taking steps to address these shortcomings and developing a data strategy could help FMC more effectively use data to oversee the maritime shipping industry. Why GAO Did This Study The maritime shipping industry is vital to the global economy and accounted for $2.3 trillion in U.S. trade in 2022. FMC is responsible for overseeing this industry, including protecting U.S. shippers from unfair or unjustly discriminatory practices related to securing vessel space. The Ocean Shipping Reform Act of 2022 includes a provision for GAO to examine whether carriers disadvantaged shippers of hazmat during the pandemic through the systemic and unreasonable denial of vessel space or other means. This report examines, among other things: (1) shippers' experiences transporting hazmat during the pandemic; (2) how the amount of hazmat imports and exports changed from 2018 through 2022 (the most recent data available at the time of GAO's review); and (3) actions FMC has taken to collect, manage, and use its complaint data. For these objectives, GAO reviewed pertinent FMC regulations and policies; analyzed trade data; visited two ports; and interviewed FMC officials as well as representatives of six shippers and five carriers. GAO selected these shippers and carriers based on a review of recent FMC rulemakings and on stakeholders' recommendations.

What GAO Found The accuracy of biometric identification technologies has improved according to the body of research conducted in a laboratory setting, particularly for facial recognition, but gaps remain in understanding real-world performance. Various factors, such as a lack of demographic diversity in the datasets on which biometric algorithms are trained, can lead to differences in accuracy across demographic groups according to literature GAO reviewed and researchers GAO interviewed. While differences in technologies' performance have been studied in laboratory testing, performance in real-world settings has been much less extensively studied because, for example, of challenges acquiring meaningful samples across demographic groups. Selected stakeholders provided examples of positive and negative effects associated with the use of biometric identification in communities facing historical patterns of disadvantage. Positive examples included convenience and increased access to public benefits and services, while negative examples included false arrests and subjecting communities to surveillance. The selected stakeholders identified concerns about the use of biometric identification technologies, which GAO grouped into six areas: biased outcomes, limitations understanding technology performance and effects, data and privacy, systemic inequity, lack of transparency, and technical expertise of users. GAO identified five key considerations that could help policymakers address one or more areas of stakeholder concern through a review of relevant literature and stakeholder interviews. These key considerations include: (1) conducting comprehensive evaluations to provide a fuller picture of the effects of biometric identification technologies, (2) encouraging more widespread sharing of information about the use of the technologies, (3) applying a risk-based approach in developing regulation and guidance, (4) enacting comprehensive privacy laws or guidance, and (5) providing technology users with additional training and guidance on how to select and use relevant technologies appropriately. Six Stakeholder Concerns About the Use of Biometric Identification Technologies and Five Considerations for Addressing Concerns Why GAO Did This Study Biometric identification is the recognition of individuals based on their biological characteristics. These technologies include facial recognition, iris scanning, and fingerprinting, among others. Advocates for the use of biometric identification point to potential for the technologies to increase convenience, security, and efficiency. At the same time, several organizations have raised concerns about the accuracy of the technologies and their effect on privacy and civil liberties. The Research and Development, Competition, and Innovation Act includes a provision for GAO to examine “the impact of biometric identification technologies on historically marginalized communities, including low-income communities and minority religious, racial, and ethnic groups.” This report (1) describes literature and researcher views on the accuracy of biometric identification technologies across populations; (2) describes selected stakeholders' perspectives on how, if at all, use of biometric identification technologies affects access to resources or levels of inequality for communities that have faced historical patterns of disadvantage; and (3) identifies key considerations that could help address stakeholder concerns about the use of biometric identification technologies. GAO reviewed academic literature, government reports, and industry documents. GAO also interviewed researchers and a range of stakeholders, including community advocates; technology vendors; and local, state, and federal governments. For more information, contact Candice N. Wright at (202) 512-6888 or WrightC@gao.gov.

What GAO Found The Single Audit Act requires nonfederal entities that spend $750,000 or more in federal awards in a year to undergo a single audit, which is an audit of an entity's financial statements and federal awards, or in select cases a program-specific audit, and submit the results to the Federal Audit Clearinghouse (FAC). The U.S. Census Bureau maintained the FAC until October 2023, when the Office of Management and Budget (OMB) designated the General Services Administration (GSA) to assume responsibilities. GAO identified some issues with FAC processes that affect the reliability and usefulness of single audit information. For example, the FAC currently cannot identify recipients that should have submitted a single audit but did not. As a result, federal agencies may not have all the data they need to conduct oversight. In addition, OMB has not designated an entity to conduct a government-wide single audit quality review since 2007. Given the trillions of dollars of COVID-19-related financial assistance provided in recent years, a government-wide review is increasingly important to help identify issues in the quality of single audits that can lead to unreliable FAC information. GAO also found that $1.17 trillion of the reported $6.97 trillion of direct federal award funds spent by recipients from 2017 through 2021 were linked to single audit findings that were both severe (contributed to an auditor's modified opinion or material weakness) and persistent (repeated over multiple years). Severity and Persistence of Single Audit Findings by Direct Expenditure of Federal Awards, 2017-2021 Note: Numbers may not sum due to rounding. For more details, see fig. 4 in GAO-24-106173. These findings were also related to $69 billion of COVID-19 relief funds spent from 2020 to 2021. GAO identified 213 findings reported in 2015 or earlier that remained unresolved in 2021. Why GAO Did This Study Federal award amounts distributed to recipients have increased substantially since the onset of the COVID-19 pandemic. For fiscal year 2023, $1.1 trillion of awards were distributed and about 40,000 single audits were submitted to the FAC. Single audits are an important tool to help ensure that award recipients are complying with the requirements of their awards. The CARES Act includes a provision for GAO to conduct oversight of funds made available to respond to the COVID-19 pandemic. This report examines (1) FAC data reliability for oversight purposes, including oversight of COVID-19 relief funding; (2) processes involved in using and overseeing the FAC; and (3) the extent to which federal award expenditures were linked to severe and persistent single audit findings reported in the FAC. GAO analyzed FAC data from 2015 through 2021 (the most recent complete data available at the time of review). GAO interviewed selected federal agencies and audit community members about their use of the FAC.

What GAO Found The Dodd-Frank Wall Street Reform and Consumer Protection Act created the Consumer Financial Protection Bureau (CFPB) to regulate the offering and provision of consumer financial products or services under federal consumer financial laws. The act also provided CFPB authorities related to supervising and enforcing federal consumer financial laws, handling consumer complaints, promoting financial education, and monitoring financial markets for risks to consumers. CFPB is an independent bureau within the Federal Reserve System and is funded primarily through transfers from the combined earnings of the Federal Reserve System. CFPB operates within six divisions, including divisions focused on consumer response and education; research, monitoring, and regulations; and supervision, enforcement, and fair lending. GAO audits CFPB's annual financial statements, in accordance with statutory requirements. Since 2011, GAO has found that CFPB's financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles. In addition, GAO has not identified any reportable noncompliance with provisions of applicable laws, regulations, contracts, or grant agreements it tested. In all but one annual audit, GAO found that CFPB maintained, in all material respects, effective internal control over financial reporting. In November 2014, GAO reported that CFPB's internal control over financial reporting was not effective for fiscal year 2014 because of a material weakness in internal control over the reporting of accounts payable. GAO found that CFPB took significant actions in fiscal year 2015 that sufficiently addressed the deficiencies related to the material weakness. GAO also identified deficiencies that collectively constituted significant deficiencies in CFPB's internal control over financial reporting in fiscal years 2013 through 2016. CFPB addressed these issues. GAO conducts performance audits of CFPB that cover a variety of the bureau's operations in response to congressional mandates or requests. In recent years, performance audits have addressed topics including CFPB's analysis of certain mortgage data, its personnel management, and its oversight and enforcement of fair lending laws. GAO's audits have also reviewed CFPB's workforce expertise related to financial technology and its efforts to address consumer risks from financial technology and blockchain products and services. For example: In September 2023, GAO recommended that CFPB conduct strategic workforce planning that addresses financial technology; develop performance goals and measures for its Office of Competition and Innovation that are clear, targeted, and measurable; and develop performance measures that are specific to its strategic objectives related to supervisory technologies. In June 2023, GAO recommended that CFPB work with the other financial regulators to establish or adapt an existing formal coordination mechanism to collectively identify risks posed by blockchain-related products and services and formulate a timely regulatory response. CFPB neither agreed nor disagreed with these recommendations. GAO will track CFPB's progress on these recommendations over time. Why GAO Did This Study Since CFPB began operating in 2011, GAO has conducted oversight of various aspects of the bureau's operations. This statement discusses (1) CFPB's mission and structure, (2) GAO's financial audits of CFPB's annual financial statements, and (3) GAO's performance audits of CFPB's operations. This statement is based on information from GAO's prior financial and performance audits as well as publicly available CFPB information, including its most recent strategic plan.

What GAO Found From fiscal years 2018 through 2022 the federal government obligated more than $33 billion for the purchase of food sourced from within the United States from domestic vendors. During this time, the United States Department of Agriculture's (USDA) Agricultural Marketing Service and the Department of Defense's (DOD) Defense Logistics Agency accounted for more than 90 percent of all federal purchases of domestic food. These foods are purchased for Agricultural Marketing Service and Defense Logistics Agency clients, including schools, food banks, and military installations, and are a vital component of our nation's food safety net. Both the Agricultural Marketing Service and Defense Logistics Agency purchase food in response to requests from their clients. These requests reflect dietary guidelines tailored to specific needs. The Agricultural Marketing Service and Defense Logistics Agency obligated nearly $30 billion for food purchases in fiscal years 2018 through 2022. Of that amount, the agencies obligated $13.6 billion (over 45 percent) on contracts with small businesses, according to GAO's analysis of federal procurement data. Both agencies are generally required by law to purchase domestic food, but there are no requirements that this food be locally grown, and neither the Agricultural Marketing Service nor Defense Logistics Agency collects comprehensive data on such purchases. However, both agencies encourage vendors to source locally grown food where available. In addition, since fiscal year 2021, the Agricultural Marketing Service has provided more than $600 million in financial assistance to states, territories, and tribal governments to purchase foods produced within the state, or within 400 miles of the delivery destination, to help support local, regional, and underserved producers. Through the USDA DOD Fresh Fruit and Vegetable Program—which provides fresh fruits and vegetables to schools, Tribes, and tribal organizations in partnership with the USDA—the Defense Logistics Agency purchased more than $287 million of locally grown food products from fiscal years 2018 through 2022. Why GAO Did This Study The Agricultural Marketing Service is the primary purchasing agency for USDA and uses contracts to purchase a variety of domestic food products from vendors for use by the agency's clients, such as schools and food banks. The Defense Logistics Agency procures and distributes food through the DOD supply chain, including to military installations. Federal regulations require agencies to contract with small businesses, including for the purchase of food, to the extent practicable. The Agricultural Marketing Service and Defense Logistics Agency are required to purchase domestic food products. However, they are not required to purchase food that is locally grown. GAO was asked to examine issues related to federal purchases of food, including the extent of small business participation and purchases of locally grown food. This report provides information about how the Agricultural Marketing Service and Defense Logistics Agency make decisions about the types of food to purchase, the amount they purchased from small businesses, and their purchases of locally grown food in fiscal years 2018 through 2022, the most recent data available at the time of GAO's review. GAO reviewed relevant laws and agency documentation, analyzed obligations data, and interviewed agency officials as well as selected Agricultural Marketing Service and Defense Logistics Agency clients. For more information, contact Steve Morris at (202) 512-3841 or morriss@gao.gov.

What GAO Found Nonjudicial punishment, such as forfeiture of pay or a reduction in grade, is a tool to deter misconduct, maintain discipline, and improve performance without going through the court-martial process. Service members onboard a vessel at sea cannot refuse nonjudicial punishment and demand a trial by court-martial when a commanding officer uses the vessel exception. The Navy and the Marine Corps are refining guidance on the use of the vessel exception for nonjudicial punishment and plan to evaluate policy changes as new guidance is issued. For example, in November 2023, the Department of the Navy issued guidance that restricts use of the vessel exception when a ship is undergoing maintenance and is not operational. With these ongoing efforts, the Department of the Navy is on track to improve oversight of nonjudicial punishment and the use of the vessel exception. The Navy and the Marine Corps have processes in place to report nonjudicial punishment data. However, GAO found, and Navy and Marine Corps officials acknowledged, that the accuracy and completeness of nonjudicial punishment data are limited due to human error and lack of automated processes. The Navy planned to use an automated system by October 2022 to collect nonjudicial punishment data but did not meet this goal due to funding constraints, according to Navy officials. Further, although the Navy issued a revised policy that clarifies reporting on the use of the vessel exception in January 2024, the policy does not address data quality issues stemming from the manual compilation of data. Without establishing a time frame to automate the collection and maintenance of quality nonjudicial punishment data and then implementing these automated processes, the Navy, the Marine Corps, and Congress may be hindered in their ability to provide sufficient oversight of nonjudicial punishment and the use of the vessel exception. Such oversight would include the use of quality data to analyze trends in military justice processes and to measure the effectiveness of discipline-related initiatives. Navy and Marine Corps Process for Reporting Nonjudicial Punishment Data, as of January 2024 Why GAO Did This Study The Navy and the Marine Corps impose nonjudicial punishment as a disciplinary measure for minor offenses. A service member's career can be stigmatized by a record of nonjudicial punishment, which can lead to involuntary separation with less than an honorable discharge, according to Navy and Marine Corps officials. House Report 117-397 includes a provision for GAO to review the Department of the Navy's use of the vessel exception and policies related to nonjudicial punishment. Among other things, this report 1) describes Navy and Marine Corps guidance for using the vessel exception, and 2) assesses the extent to which the Navy and the Marine Corps report quality data for oversight of the vessel exception. GAO analyzed guidance, policies, and data; interviewed relevant officials; and conducted one site visit onboard a vessel at sea.

What GAO Found Six selected state Medicaid programs GAO reviewed varied in their ability to obtain data on beneficiaries with COVID-19 vaccinations from state immunization information systems during the COVID-19 public health emergency from 2020-2023. During the emergency, these systems—maintained by state public health departments—were the primary source of such data. This was because providers administering COVID-19 vaccinations were required to report to them. Specifically, state policies—which govern provider reporting requirements and data sharing—in effect prior to the emergency enabled Medicaid programs in four selected states to obtain patient-level vaccination data from state immunization information systems. In contrast, state policies in effect prior to the emergency in two selected states either did not specify or did not permit such data exchange. COVID-19 Vaccination Data Collection and Transmission to Certain State Medicaid Programs State officials and stakeholders described interoperability gaps between state immunization and Medicaid systems, the volume of vaccination data collected, and other factors as affecting the availability and quality of COVID-19 vaccination data collected by immunization information systems during the COVID-19 public health emergency. State officials described how some factors resulted from the public health emergency. They also noted solutions they implemented as the emergency progressed, such as using a temporary storage system for the increased volume of data. State and federal officials also identified state policies as continuing to be important drivers of vaccination data collection and data sharing with Medicaid programs after the public health emergency. In the four selected states with access to patient-level data, GAO found that Medicaid programs used the data to implement two types of strategies to increase COVID-19 vaccination rates: incentives and targeted outreach. For example, one state awarded incentive payments to its 25 managed care organizations based on performance across 10 vaccination measures. Additionally, Medicaid and managed care officials in five of the six states described using data from other sources, such as Medicaid claims, to increase COVID-19 vaccination rates among high-risk and vulnerable populations. For example, Medicaid officials in these states told us Medicaid claims data helped them to identify and focus efforts on beneficiaries most at risk of adverse outcomes from COVID-19. Although states reported using various strategies to increase vaccinations, the effectiveness of their specific strategies is unclear due to the nature of the COVID-19 public health emergency. According to Medicaid officials, it is difficult to attribute changes in Medicaid beneficiaries' vaccination rates to a specific strategy, because the emergency required multiple concurrent strategies. Why GAO Did This Study Given the importance of COVID-19 vaccinations in preventing severe outcomes, such as hospitalizations and death, ensuring Medicaid beneficiaries receive the vaccine is important. However, state Medicaid programs did not always receive information on the vaccination status of beneficiaries directly from providers during the public health emergency. This was in part because vaccines were purchased by the federal government rather than by insurers like Medicaid. GAO was asked to examine Medicaid programs' access to and use of data from immunization information systems to improve COVID-19 vaccination rates among beneficiaries, and factors contributing to data completeness. This report describes (1) the extent to which selected states' Medicaid programs obtained patient-level COVID-19 vaccination data, and any factors affecting data availability and quality; and (2) how that data helped inform selected states' strategies to improve COVID-19 vaccination rates, and information on the effectiveness of such strategies. GAO reviewed relevant federal laws, interviewed federal agency officials, as well as reviewed information and interviewed officials from state public health departments and Medicaid programs in six states. The states were selected based on characteristics of their Medicaid and immunization programs, among other various factors. GAO also interviewed 10 stakeholder organizations, including those representing immunization managers and Medicaid directors. For more information, contact Catina B. Latham at (202) 512-7114 or lathamc@gao.gov.

What GAO Found The Department of Defense (DOD) has deployed its new federal electronic health record (EHR) system, called MHS GENESIS, at military treatment facilities. The final system deployment took place in March 2024 at the Federal Health Care Center, a joint DOD and VA facility. As of March 2024, DOD and VA reported that they had completed the 35 critical tasks and milestones required to implement the new system at the joint facility, but the departments have opportunities to further integrate their systems. Accordingly, DOD and VA began a process to resolve differences between their respective workflows and EHR configurations to increase integration. However, the process did not result in a fully integrated approach due to reasons such as legal and policy barriers. Until it addresses these barriers, DOD and VA will likely not meet the integration goal established for the Federal Health Care Center. In 2022, DOD began conducting an annual survey of MHS GENESIS user satisfaction and worked with a contractor to analyze survey data. User satisfaction rates for DOD's new system have improved over the past 2 years. However, the user satisfaction rates for the new system were generally lower than the rates for users of DOD's legacy systems and for private-sector users of the commercial version of MHS GENESIS (see table). User Satisfaction Results from DOD's 2023 Annual User Satisfaction Survey Compared to Results for DOD's Legacy Systems and Similar Private-Sector Systems Survey question topic New electronic health record Legacy systems Private-sector systems Patient-centered care 39% 56% 46% Efficiency 20 36 32 Downtime 49 45 67 Response time 21 31 40 Quality care 29 46 50 Source: GAO analysis of Department of Defense (DOD) information. │ GAO 24 106187 Note: DOD legacy system data come from 2022 survey results. Data for DOD's new electronic health record and for private-sector systems come from 2023 survey results. Although user satisfaction levels are below those for its other relevant systems, DOD has not yet established satisfaction goals. Without goals for improving user satisfaction, the department will be limited in its ability to measure progress, plan for improvements, and ensure the system meets users' needs. DOD's Program Executive Office has implemented an issue management plan to address key issues affecting MHS GENESIS. However, it has not been able to resolve problems with its dental module, called Dentrix. These problems, which began in 2018, continued to plague Dentrix through January 2024. This led to DOD elevating the issue to the severe level and deciding to identify Dentrix alternatives. However, DOD does not yet have a plan or schedule for identifying alternatives. Until the office resolves the Dentrix issue, the new federal EHR will not provide critical functionality to dentists who treat DOD beneficiaries. Why GAO Did This Study DOD's health care system is one of the largest in the nation, providing crucial services to millions of service members, retirees, and their family members. The department has taken major steps to modernize the EHR systems it uses to manage patient health information. Federal law includes provisions for GAO to review DOD's EHR system modernization. This report examines (1) the progress DOD and VA have made toward implementing the federal electronic health record system at the Federal Health Care Center, (2) the extent to which DOD has identified user satisfaction with the system, and (3) the extent to which DOD has managed key issues affecting system implementation. GAO analyzed agency documentation, such as implementation plans and results of user satisfaction surveys. GAO also reviewed program documentation on long-standing EHR-related issues, including issues with deploying the dental module. In addition, GAO observed monthly program management meetings where top program risks were discussed, interviewed department officials, and conducted a site visit to the Federal Health Care Center.

What GAO Found Among its 115 provisions, the order contains 55 leadership and oversight requirements (actions to assist or direct the federal agencies in implementing the order). The three key agencies primarily responsible for the implementation of these requirements are the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget (OMB). These agencies fully completed 49 of the 55 requirements, partially completed five, and one was not applicable (see table below). Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected. Progress in Implementing Executive Order 14028 Leadership and Oversight Requirements, as of March 2024   Executive Order Section Number of requirements that are: Fully complete Partially complete Not complete Not applicable Removing Barriers to Sharing Threat Information 6 1 — — Modernizing Federal Government Cybersecurity 8 — — — Enhancing Software Supply Chain Security 16 1 — — Establishing a Cyber Safety Review Board 6 1 — — Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents 4 — — 1 Improving Detection of Cybersecurity Vulnerabilities and Incidents 7 1 — — Improving the Federal Government's Investigative and Remediation Capabilities 2 1 — — Total 49 5 — 1 Legend: fully complete = those where the actions required are complete; partially complete = those where GAO judged significant, but not complete, progress to be made in completing a requirement; not complete = those where the progress made toward completion was minimal and not significant. The symbol “—” indicates that no requirements received this score. Source: GAO analysis of documentation from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency; the National Institute of Standards and Technology; and the Office of Management and Budget. | GAO-24-106343 GAO's High-Risk Series identified ten action areas critical to addressing the nation's cybersecurity challenges. The order's requirements directly address five of these ten critical action areas, while each of the other five could be addressed by other recently-issued strategies, frameworks, and guidance. For example, the cyber workforce and critical infrastructure action areas could potentially be addressed by the National Cyber Workforce Strategy and National Cybersecurity Strategy, if implemented effectively. In addition to the ten action areas, six federal chief information security officers (CISO) identified additional cyber issue areas they considered to be challenging, such as uncertainty in cyber funding, creating a culture that prioritizes cybersecurity as an essential mission component, and focus on cyber compliance versus cyber resilience. The order's requirements also address each of these additional cyber issue areas identified by CISOs. For example, the order addresses uncertainties in cyber funding by requiring OMB to assist agencies in having sufficient resources to implement its requirements. Why GAO Did This Study For more than 25 years, GAO has identified information security as a high-risk area. During this period, the threat of cyber-based attacks on IT systems has continued to grow. In 2021, the President issued Executive Order 14028 to enhance federal resilience in protecting IT systems. The order contains requirements for federal agencies to improve their ability to identify, protect against, and respond to malicious cyber threats. The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically report on agencies' progress in improving their cybersecurity practices. This report examines the extent to which (1) agencies have implemented Executive Order 14028 leadership and oversight-related requirements and (2) the order has addressed federal cybersecurity challenges. To do so, GAO identified government-wide leadership and oversight requirements in the order and the key agencies required to perform them. GAO then reviewed the agencies' implementation of those requirements. GAO also compared challenges identified in its work and in discussions with federal CISOs against the content of the order to determine whether they were addressed.

What GAO Found Mpox, a serious infectious disease caused by a virus in the same family as smallpox, experienced an unprecedented global outbreak in 2022. The Department of Health and Human Services (HHS) led the initial federal response in the U.S., beginning in May 2022. According to a White House press release, a White House mpox response team was established and assumed leadership of the federal response, and the Secretary of Health and Human Services declared mpox a public health emergency in early August 2022. The federal mpox response included providing vaccines to jurisdictions for the prevention of mpox, among other efforts. Timeline of Selected Mpox Response Activities and Number of Mpox Infectionsa aThe decline in daily mpox cases was likely due to the combined effect of events in figure above. The six states, the District of Columbia, and seven local jurisdictions GAO interviewed described challenges with HHS's initial response to mpox that were similar to those GAO identified in HHS's response to past emergencies. For example, jurisdictions noted challenges with communication and the availability of vaccines, tests, and treatments, among other problems. Similar persistent and recurring deficiencies led GAO to add HHS's leadership and coordination of public health emergencies to its High-Risk List in January 2022, calling for an HHS leadership commitment to transform its efforts. HHS—as the designated lead for the federal public health and medical response to emergencies—does not have a coordinated, department-wide after-action program to identify and resolve recurring emergency response challenges. While some component agencies within HHS have after-action programs, these agencies work independently without coordinating with each other, and do not always engage relevant external stakeholders in identifying challenges and associated solutions. GAO's past work has shown the benefits of coordination and including stakeholders when addressing challenges. Embracing a coordinated, department-wide after-action program for each response that includes external stakeholders would help HHS develop informed and comprehensive solutions. Such solutions should, in turn, strengthen HHS's ability to respond to future emergencies, including those that could be more infectious and lethal than mpox. Why GAO Did This Study State and local jurisdictions are often first to detect and respond to public health events. However, if their public health and medical capabilities need support, as with mpox, HHS is charged with coordinating federal assistance to supplement the response. GAO was asked to review the federal response to the mpox public health emergency. In this report, GAO (1) describes the federal response to the mpox outbreak, (2) assesses the extent to which the federal mpox response presented challenges similar to those experienced in past public health emergencies, and (3) assesses federal efforts to address recurring public health emergency challenges. GAO reviewed HHS documents and mpox infection data from May 18, 2022, to January 31, 2023. GAO interviewed officials from the Department of Homeland Security, HHS, and 14 selected jurisdictions (six states, the District of Columbia, and seven localities), chosen based on case rates and demographic and geographic diversity. GAO received written responses from the White House mpox response team. GAO also reviewed HHS after-action processes and documents.