1. We recommend the Deputy Secretary of Commerce direct the Department's Chief Information Officer to work with system owners to (a) determine why penetration tests and KEV findings are not resolved within established due dates, (b) prioritize resources to resolve the causes of the delayed remediations, (c) immediately remediate vulnerabilities, and (d) establish a real-time reporting mechanism to track closures.