Open Recommendations

The Chief Information Officer, in conjunction with the Chief Operating Officer, should revise the DLP rules to be more restrictive to help prevent intentional data exfiltration.

The Chief Information Officer, in conjunction with the Chief Operating Officer, should continue to ensure that the managers and executives responsible for reviewing and approving BEARS ********************** requests carefully review all requests and only approve requests with sufficient and appropriate responses to the required questions.

Evaluate whether any clarifications or updates to Revenue Procedure 2013-14 or Treasury Regulation § 301.7216-3 are needed to address concerns or raise awareness of data sharing practices with tax software companies that use pixels.

We recommend that the Principal Deputy Assistant Secretary for Water and Science, as the delegated Federal Geographic Data Committee Chair, conduct an analysis to identify the root cause(s) of the geospatial dataset unavailability on GeoPlatform.

We recommend that the Principal Deputy Assistant Secretary for Water and Science, as the delegated Federal Geographic Data Committee Chair, conduct an analysis to determine the costs, benefits, and feasibility of resolving the root causes identified with GeoPlatform.

We recommend that the Principal Deputy Assistant Secretary for Water and Science, as the delegated Federal Geographic Data Committee Chair, implement appropriate changes based on the root cause and cost benefit analyses to address dataset availability issues.

We recommend that the Office of the Chief Information Officer, in the absence of Federal Geographic Data Committee standards, identify relevant best practices and develop requirements for specific data fields for National Geospatial Data Assets in alignment with best practices.

Take corrective action for the subrecipient monitoring and agreement issues cited for eight of the ESG-CV grantees reviewed, and provide additional guidance and technical assistance as needed to ensure that they understand requirements.

Develop and implement additional subrecipient monitoring training and guidance for all ESG grantees.

Work with the relevant components to better align metrics across the Department and to determine what metrics for the ransomware threat, including metrics tracking disruption efforts, are most impactful, and which demonstrate the effectiveness of its actions to combat the ransomware threat.

Assess the U.S. Attorneys' Offices (USAO) implementation of the deconfliction policy, for ransomware cases, to ensure that federal prosecutors have a consistent understanding of the policy and comply with its requirements.

Rec. 1: The DoD OIG recommended that the Deputy Commandant, Manpower and Reserve Affairs, Headquarters, U.S. Marine Corps, develop and disseminate guidance providing a consistent approach for documenting and uploading dwell waiver requests to the Service member's Electronic Service Record to ensure that a Service member's consent to mobilization while in dwell is properly documented and maintained.

Rec. 4: The DoD OIG recommended that the Deputy Chief of Staff for Personnel, Headquarters, Department of the Army, develop and issue guidance applicable to the Army National Guard and the Army Reserve for maintaining documentation supporting Service members consent to mobilization while in dwell.

We recommend that USAID's Chief Information Officer develop and implement written guidance for performing and documenting cost-benefit and alternative analyses for cloud acquisitions before procuring cloud services.

We recommend that USAID's Chief Information Officer develop and implement a written procedure to document the Chief Information Officer's review and approval of all cloud service acquisition plans.

We recommend that USAID's Chief Information Officer develop and implement a written process for defining and reviewing service level agreements to determine whether they meet Agency needs.

We recommend that USAID's Chief Information Officer develop additional procedures to hold system owners accountable for noncompliance with continuous monitoring reporting requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

We recommend that USAID's Chief Information Officer develop additional procedures to hold system accountable for noncompliance with plan of action and milestones requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

We recommend that USAID's Chief Information Officer revise Agency procedures to address how system owners should document their monitoring of cloud service providers' remediation activities.

We recommend the Executive Assistant Commissioner of CBP’s Office of Field Operations develop and implement policies and procedures requiring regular comprehensive assessments of operations across all land ports of entry. These policies and procedures should also include key elements such as the designated office or official for conducting comprehensive assessments, assessment criteria, frequency of assessments, and related records retention requirements.

We recommend the Executive Assistant Commissioner of CBP’s Office of Field Operations conduct an initial comprehensive assessment of land port of entry operations, issue a report on the findings to identify areas of efficiencies, develop a corrective action plan to eliminate inefficiencies, and avoid wasting funds. This report should also document the rationale for strategic decisions including, but not limited to:• maintaining current land port of entry operations;• reducing or expanding land port of entry operational hours; and• permanently closing land ports of entry.

We recommend that OPM develop a written plan and process to collect eligibility documentation for all dependents enrolled within the PSHBP.

We recommend that OPM develop a written plan and process to perform a verification and validation of the documentation supporting dependent eligibility maintained within the PSHBS.

We recommend that OPM consider the feasibility and scalability of the PSHBS, decide if it can be adopted into the FEHBP enrollment process, and the necessary measures to adopt it into the FEHBP.

Track facilities supply chain personnel vacancies as part of the quality control reviews and take appropriate action.