Rec. 1.a: The DoD OIG recommend that the Air Force Chief Information Officer direct the system owners, in coordination with the Air Force Chief Information Security Officer and Authorizing Officials, to identify and mitigate all very high, high, and moderate weaknesses identified in plans of action and milestones that exceed the 30-day and 90-day mitigation requirement as required by Air Force guidance, and prioritize any weaknesses identified in the Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog.