What GAO Found The Dodd-Frank Wall Street Reform and Consumer Protection Act created the Consumer Financial Protection Bureau (CFPB) to regulate the offering and provision of consumer financial products or services under federal consumer financial laws. The act also provided CFPB authorities related to supervising and enforcing federal consumer financial laws, handling consumer complaints, promoting financial education, and monitoring financial markets for risks to consumers. CFPB is an independent bureau within the Federal Reserve System and is funded primarily through transfers from the combined earnings of the Federal Reserve System. CFPB operates within six divisions, including divisions focused on consumer response and education; research, monitoring, and regulations; and supervision, enforcement, and fair lending. GAO audits CFPB's annual financial statements, in accordance with statutory requirements. Since 2011, GAO has found that CFPB's financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles. In addition, GAO has not identified any reportable noncompliance with provisions of applicable laws, regulations, contracts, or grant agreements it tested. In all but one annual audit, GAO found that CFPB maintained, in all material respects, effective internal control over financial reporting. In November 2014, GAO reported that CFPB's internal control over financial reporting was not effective for fiscal year 2014 because of a material weakness in internal control over the reporting of accounts payable. GAO found that CFPB took significant actions in fiscal year 2015 that sufficiently addressed the deficiencies related to the material weakness. GAO also identified deficiencies that collectively constituted significant deficiencies in CFPB's internal control over financial reporting in fiscal years 2013 through 2016. CFPB addressed these issues. GAO conducts performance audits of CFPB that cover a variety of the bureau's operations in response to congressional mandates or requests. In recent years, performance audits have addressed topics including CFPB's analysis of certain mortgage data, its personnel management, and its oversight and enforcement of fair lending laws. GAO's audits have also reviewed CFPB's workforce expertise related to financial technology and its efforts to address consumer risks from financial technology and blockchain products and services. For example: In September 2023, GAO recommended that CFPB conduct strategic workforce planning that addresses financial technology; develop performance goals and measures for its Office of Competition and Innovation that are clear, targeted, and measurable; and develop performance measures that are specific to its strategic objectives related to supervisory technologies. In June 2023, GAO recommended that CFPB work with the other financial regulators to establish or adapt an existing formal coordination mechanism to collectively identify risks posed by blockchain-related products and services and formulate a timely regulatory response. CFPB neither agreed nor disagreed with these recommendations. GAO will track CFPB's progress on these recommendations over time. Why GAO Did This Study Since CFPB began operating in 2011, GAO has conducted oversight of various aspects of the bureau's operations. This statement discusses (1) CFPB's mission and structure, (2) GAO's financial audits of CFPB's annual financial statements, and (3) GAO's performance audits of CFPB's operations. This statement is based on information from GAO's prior financial and performance audits as well as publicly available CFPB information, including its most recent strategic plan.

What GAO Found From fiscal years 2018 through 2022 the federal government obligated more than $33 billion for the purchase of food sourced from within the United States from domestic vendors. During this time, the United States Department of Agriculture's (USDA) Agricultural Marketing Service and the Department of Defense's (DOD) Defense Logistics Agency accounted for more than 90 percent of all federal purchases of domestic food. These foods are purchased for Agricultural Marketing Service and Defense Logistics Agency clients, including schools, food banks, and military installations, and are a vital component of our nation's food safety net. Both the Agricultural Marketing Service and Defense Logistics Agency purchase food in response to requests from their clients. These requests reflect dietary guidelines tailored to specific needs. The Agricultural Marketing Service and Defense Logistics Agency obligated nearly $30 billion for food purchases in fiscal years 2018 through 2022. Of that amount, the agencies obligated $13.6 billion (over 45 percent) on contracts with small businesses, according to GAO's analysis of federal procurement data. Both agencies are generally required by law to purchase domestic food, but there are no requirements that this food be locally grown, and neither the Agricultural Marketing Service nor Defense Logistics Agency collects comprehensive data on such purchases. However, both agencies encourage vendors to source locally grown food where available. In addition, since fiscal year 2021, the Agricultural Marketing Service has provided more than $600 million in financial assistance to states, territories, and tribal governments to purchase foods produced within the state, or within 400 miles of the delivery destination, to help support local, regional, and underserved producers. Through the USDA DOD Fresh Fruit and Vegetable Program—which provides fresh fruits and vegetables to schools, Tribes, and tribal organizations in partnership with the USDA—the Defense Logistics Agency purchased more than $287 million of locally grown food products from fiscal years 2018 through 2022. Why GAO Did This Study The Agricultural Marketing Service is the primary purchasing agency for USDA and uses contracts to purchase a variety of domestic food products from vendors for use by the agency's clients, such as schools and food banks. The Defense Logistics Agency procures and distributes food through the DOD supply chain, including to military installations. Federal regulations require agencies to contract with small businesses, including for the purchase of food, to the extent practicable. The Agricultural Marketing Service and Defense Logistics Agency are required to purchase domestic food products. However, they are not required to purchase food that is locally grown. GAO was asked to examine issues related to federal purchases of food, including the extent of small business participation and purchases of locally grown food. This report provides information about how the Agricultural Marketing Service and Defense Logistics Agency make decisions about the types of food to purchase, the amount they purchased from small businesses, and their purchases of locally grown food in fiscal years 2018 through 2022, the most recent data available at the time of GAO's review. GAO reviewed relevant laws and agency documentation, analyzed obligations data, and interviewed agency officials as well as selected Agricultural Marketing Service and Defense Logistics Agency clients. For more information, contact Steve Morris at (202) 512-3841 or morriss@gao.gov.

What GAO Found Nonjudicial punishment, such as forfeiture of pay or a reduction in grade, is a tool to deter misconduct, maintain discipline, and improve performance without going through the court-martial process. Service members onboard a vessel at sea cannot refuse nonjudicial punishment and demand a trial by court-martial when a commanding officer uses the vessel exception. The Navy and the Marine Corps are refining guidance on the use of the vessel exception for nonjudicial punishment and plan to evaluate policy changes as new guidance is issued. For example, in November 2023, the Department of the Navy issued guidance that restricts use of the vessel exception when a ship is undergoing maintenance and is not operational. With these ongoing efforts, the Department of the Navy is on track to improve oversight of nonjudicial punishment and the use of the vessel exception. The Navy and the Marine Corps have processes in place to report nonjudicial punishment data. However, GAO found, and Navy and Marine Corps officials acknowledged, that the accuracy and completeness of nonjudicial punishment data are limited due to human error and lack of automated processes. The Navy planned to use an automated system by October 2022 to collect nonjudicial punishment data but did not meet this goal due to funding constraints, according to Navy officials. Further, although the Navy issued a revised policy that clarifies reporting on the use of the vessel exception in January 2024, the policy does not address data quality issues stemming from the manual compilation of data. Without establishing a time frame to automate the collection and maintenance of quality nonjudicial punishment data and then implementing these automated processes, the Navy, the Marine Corps, and Congress may be hindered in their ability to provide sufficient oversight of nonjudicial punishment and the use of the vessel exception. Such oversight would include the use of quality data to analyze trends in military justice processes and to measure the effectiveness of discipline-related initiatives. Navy and Marine Corps Process for Reporting Nonjudicial Punishment Data, as of January 2024 Why GAO Did This Study The Navy and the Marine Corps impose nonjudicial punishment as a disciplinary measure for minor offenses. A service member's career can be stigmatized by a record of nonjudicial punishment, which can lead to involuntary separation with less than an honorable discharge, according to Navy and Marine Corps officials. House Report 117-397 includes a provision for GAO to review the Department of the Navy's use of the vessel exception and policies related to nonjudicial punishment. Among other things, this report 1) describes Navy and Marine Corps guidance for using the vessel exception, and 2) assesses the extent to which the Navy and the Marine Corps report quality data for oversight of the vessel exception. GAO analyzed guidance, policies, and data; interviewed relevant officials; and conducted one site visit onboard a vessel at sea.

What GAO Found Six selected state Medicaid programs GAO reviewed varied in their ability to obtain data on beneficiaries with COVID-19 vaccinations from state immunization information systems during the COVID-19 public health emergency from 2020-2023. During the emergency, these systems—maintained by state public health departments—were the primary source of such data. This was because providers administering COVID-19 vaccinations were required to report to them. Specifically, state policies—which govern provider reporting requirements and data sharing—in effect prior to the emergency enabled Medicaid programs in four selected states to obtain patient-level vaccination data from state immunization information systems. In contrast, state policies in effect prior to the emergency in two selected states either did not specify or did not permit such data exchange. COVID-19 Vaccination Data Collection and Transmission to Certain State Medicaid Programs State officials and stakeholders described interoperability gaps between state immunization and Medicaid systems, the volume of vaccination data collected, and other factors as affecting the availability and quality of COVID-19 vaccination data collected by immunization information systems during the COVID-19 public health emergency. State officials described how some factors resulted from the public health emergency. They also noted solutions they implemented as the emergency progressed, such as using a temporary storage system for the increased volume of data. State and federal officials also identified state policies as continuing to be important drivers of vaccination data collection and data sharing with Medicaid programs after the public health emergency. In the four selected states with access to patient-level data, GAO found that Medicaid programs used the data to implement two types of strategies to increase COVID-19 vaccination rates: incentives and targeted outreach. For example, one state awarded incentive payments to its 25 managed care organizations based on performance across 10 vaccination measures. Additionally, Medicaid and managed care officials in five of the six states described using data from other sources, such as Medicaid claims, to increase COVID-19 vaccination rates among high-risk and vulnerable populations. For example, Medicaid officials in these states told us Medicaid claims data helped them to identify and focus efforts on beneficiaries most at risk of adverse outcomes from COVID-19. Although states reported using various strategies to increase vaccinations, the effectiveness of their specific strategies is unclear due to the nature of the COVID-19 public health emergency. According to Medicaid officials, it is difficult to attribute changes in Medicaid beneficiaries' vaccination rates to a specific strategy, because the emergency required multiple concurrent strategies. Why GAO Did This Study Given the importance of COVID-19 vaccinations in preventing severe outcomes, such as hospitalizations and death, ensuring Medicaid beneficiaries receive the vaccine is important. However, state Medicaid programs did not always receive information on the vaccination status of beneficiaries directly from providers during the public health emergency. This was in part because vaccines were purchased by the federal government rather than by insurers like Medicaid. GAO was asked to examine Medicaid programs' access to and use of data from immunization information systems to improve COVID-19 vaccination rates among beneficiaries, and factors contributing to data completeness. This report describes (1) the extent to which selected states' Medicaid programs obtained patient-level COVID-19 vaccination data, and any factors affecting data availability and quality; and (2) how that data helped inform selected states' strategies to improve COVID-19 vaccination rates, and information on the effectiveness of such strategies. GAO reviewed relevant federal laws, interviewed federal agency officials, as well as reviewed information and interviewed officials from state public health departments and Medicaid programs in six states. The states were selected based on characteristics of their Medicaid and immunization programs, among other various factors. GAO also interviewed 10 stakeholder organizations, including those representing immunization managers and Medicaid directors. For more information, contact Catina B. Latham at (202) 512-7114 or lathamc@gao.gov.

What GAO Found The Department of Defense (DOD) has deployed its new federal electronic health record (EHR) system, called MHS GENESIS, at military treatment facilities. The final system deployment took place in March 2024 at the Federal Health Care Center, a joint DOD and VA facility. As of March 2024, DOD and VA reported that they had completed the 35 critical tasks and milestones required to implement the new system at the joint facility, but the departments have opportunities to further integrate their systems. Accordingly, DOD and VA began a process to resolve differences between their respective workflows and EHR configurations to increase integration. However, the process did not result in a fully integrated approach due to reasons such as legal and policy barriers. Until it addresses these barriers, DOD and VA will likely not meet the integration goal established for the Federal Health Care Center. In 2022, DOD began conducting an annual survey of MHS GENESIS user satisfaction and worked with a contractor to analyze survey data. User satisfaction rates for DOD's new system have improved over the past 2 years. However, the user satisfaction rates for the new system were generally lower than the rates for users of DOD's legacy systems and for private-sector users of the commercial version of MHS GENESIS (see table). User Satisfaction Results from DOD's 2023 Annual User Satisfaction Survey Compared to Results for DOD's Legacy Systems and Similar Private-Sector Systems Survey question topic New electronic health record Legacy systems Private-sector systems Patient-centered care 39% 56% 46% Efficiency 20 36 32 Downtime 49 45 67 Response time 21 31 40 Quality care 29 46 50 Source: GAO analysis of Department of Defense (DOD) information. │ GAO 24 106187 Note: DOD legacy system data come from 2022 survey results. Data for DOD's new electronic health record and for private-sector systems come from 2023 survey results. Although user satisfaction levels are below those for its other relevant systems, DOD has not yet established satisfaction goals. Without goals for improving user satisfaction, the department will be limited in its ability to measure progress, plan for improvements, and ensure the system meets users' needs. DOD's Program Executive Office has implemented an issue management plan to address key issues affecting MHS GENESIS. However, it has not been able to resolve problems with its dental module, called Dentrix. These problems, which began in 2018, continued to plague Dentrix through January 2024. This led to DOD elevating the issue to the severe level and deciding to identify Dentrix alternatives. However, DOD does not yet have a plan or schedule for identifying alternatives. Until the office resolves the Dentrix issue, the new federal EHR will not provide critical functionality to dentists who treat DOD beneficiaries. Why GAO Did This Study DOD's health care system is one of the largest in the nation, providing crucial services to millions of service members, retirees, and their family members. The department has taken major steps to modernize the EHR systems it uses to manage patient health information. Federal law includes provisions for GAO to review DOD's EHR system modernization. This report examines (1) the progress DOD and VA have made toward implementing the federal electronic health record system at the Federal Health Care Center, (2) the extent to which DOD has identified user satisfaction with the system, and (3) the extent to which DOD has managed key issues affecting system implementation. GAO analyzed agency documentation, such as implementation plans and results of user satisfaction surveys. GAO also reviewed program documentation on long-standing EHR-related issues, including issues with deploying the dental module. In addition, GAO observed monthly program management meetings where top program risks were discussed, interviewed department officials, and conducted a site visit to the Federal Health Care Center.

What GAO Found Among its 115 provisions, the order contains 55 leadership and oversight requirements (actions to assist or direct the federal agencies in implementing the order). The three key agencies primarily responsible for the implementation of these requirements are the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget (OMB). These agencies fully completed 49 of the 55 requirements, partially completed five, and one was not applicable (see table below). Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected. Progress in Implementing Executive Order 14028 Leadership and Oversight Requirements, as of March 2024   Executive Order Section Number of requirements that are: Fully complete Partially complete Not complete Not applicable Removing Barriers to Sharing Threat Information 6 1 — — Modernizing Federal Government Cybersecurity 8 — — — Enhancing Software Supply Chain Security 16 1 — — Establishing a Cyber Safety Review Board 6 1 — — Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents 4 — — 1 Improving Detection of Cybersecurity Vulnerabilities and Incidents 7 1 — — Improving the Federal Government's Investigative and Remediation Capabilities 2 1 — — Total 49 5 — 1 Legend: fully complete = those where the actions required are complete; partially complete = those where GAO judged significant, but not complete, progress to be made in completing a requirement; not complete = those where the progress made toward completion was minimal and not significant. The symbol “—” indicates that no requirements received this score. Source: GAO analysis of documentation from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency; the National Institute of Standards and Technology; and the Office of Management and Budget. | GAO-24-106343 GAO's High-Risk Series identified ten action areas critical to addressing the nation's cybersecurity challenges. The order's requirements directly address five of these ten critical action areas, while each of the other five could be addressed by other recently-issued strategies, frameworks, and guidance. For example, the cyber workforce and critical infrastructure action areas could potentially be addressed by the National Cyber Workforce Strategy and National Cybersecurity Strategy, if implemented effectively. In addition to the ten action areas, six federal chief information security officers (CISO) identified additional cyber issue areas they considered to be challenging, such as uncertainty in cyber funding, creating a culture that prioritizes cybersecurity as an essential mission component, and focus on cyber compliance versus cyber resilience. The order's requirements also address each of these additional cyber issue areas identified by CISOs. For example, the order addresses uncertainties in cyber funding by requiring OMB to assist agencies in having sufficient resources to implement its requirements. Why GAO Did This Study For more than 25 years, GAO has identified information security as a high-risk area. During this period, the threat of cyber-based attacks on IT systems has continued to grow. In 2021, the President issued Executive Order 14028 to enhance federal resilience in protecting IT systems. The order contains requirements for federal agencies to improve their ability to identify, protect against, and respond to malicious cyber threats. The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically report on agencies' progress in improving their cybersecurity practices. This report examines the extent to which (1) agencies have implemented Executive Order 14028 leadership and oversight-related requirements and (2) the order has addressed federal cybersecurity challenges. To do so, GAO identified government-wide leadership and oversight requirements in the order and the key agencies required to perform them. GAO then reviewed the agencies' implementation of those requirements. GAO also compared challenges identified in its work and in discussions with federal CISOs against the content of the order to determine whether they were addressed.

What GAO Found Mpox, a serious infectious disease caused by a virus in the same family as smallpox, experienced an unprecedented global outbreak in 2022. The Department of Health and Human Services (HHS) led the initial federal response in the U.S., beginning in May 2022. According to a White House press release, a White House mpox response team was established and assumed leadership of the federal response, and the Secretary of Health and Human Services declared mpox a public health emergency in early August 2022. The federal mpox response included providing vaccines to jurisdictions for the prevention of mpox, among other efforts. Timeline of Selected Mpox Response Activities and Number of Mpox Infectionsa aThe decline in daily mpox cases was likely due to the combined effect of events in figure above. The six states, the District of Columbia, and seven local jurisdictions GAO interviewed described challenges with HHS's initial response to mpox that were similar to those GAO identified in HHS's response to past emergencies. For example, jurisdictions noted challenges with communication and the availability of vaccines, tests, and treatments, among other problems. Similar persistent and recurring deficiencies led GAO to add HHS's leadership and coordination of public health emergencies to its High-Risk List in January 2022, calling for an HHS leadership commitment to transform its efforts. HHS—as the designated lead for the federal public health and medical response to emergencies—does not have a coordinated, department-wide after-action program to identify and resolve recurring emergency response challenges. While some component agencies within HHS have after-action programs, these agencies work independently without coordinating with each other, and do not always engage relevant external stakeholders in identifying challenges and associated solutions. GAO's past work has shown the benefits of coordination and including stakeholders when addressing challenges. Embracing a coordinated, department-wide after-action program for each response that includes external stakeholders would help HHS develop informed and comprehensive solutions. Such solutions should, in turn, strengthen HHS's ability to respond to future emergencies, including those that could be more infectious and lethal than mpox. Why GAO Did This Study State and local jurisdictions are often first to detect and respond to public health events. However, if their public health and medical capabilities need support, as with mpox, HHS is charged with coordinating federal assistance to supplement the response. GAO was asked to review the federal response to the mpox public health emergency. In this report, GAO (1) describes the federal response to the mpox outbreak, (2) assesses the extent to which the federal mpox response presented challenges similar to those experienced in past public health emergencies, and (3) assesses federal efforts to address recurring public health emergency challenges. GAO reviewed HHS documents and mpox infection data from May 18, 2022, to January 31, 2023. GAO interviewed officials from the Department of Homeland Security, HHS, and 14 selected jurisdictions (six states, the District of Columbia, and seven localities), chosen based on case rates and demographic and geographic diversity. GAO received written responses from the White House mpox response team. GAO also reviewed HHS after-action processes and documents.

What GAO Found The Committee on Foreign Investment in the United States (CFIUS) enters into agreements that require companies to mitigate national security risks stemming from foreign investment. Since 2000, the number of mitigation agreements has grown steadily, rising roughly fourfold in the last decade. The Departments of Defense and the Treasury manage the largest numbers of mitigation agreements. To mitigate risks—such as foreign investors' accessing certain sensitive data—CFIUS imposes various measures. For example, CFIUS might require the U.S. company to establish access controls for certain information systems. Number of Active CFIUS Mitigation Agreements, by Calendar Year, 2000–2022 Note: “Mitigation agreements” includes agreements listed in notes to fig. 4, GAO-24-107358. Selected CFIUS member agencies monitor compliance with mitigation agreements by, among other things, conducting site visits to companies and working with independent auditors and monitors. If a company violates an agreement, CFIUS can take enforcement action, including imposing monetary penalties. The Department of the Treasury, as the committee's chair, issued public guidelines on CFIUS penalties in 2022. But CFIUS does not yet have a documented committee-wide process for deciding on enforcement actions, which has led to challenges in responding to certain violations, according to officials. CFIUS also does not have a documented committee-wide process for reviewing agreements for continued relevance. Documenting such processes would help ensure CFIUS member agencies respond in a timely manner to violations and can focus their resources on mitigation agreements that remain relevant. Over the last decade, selected CFIUS member agencies have expanded staffing to monitor and enforce compliance with the rising number of mitigation agreements. Treasury plans to expand its monitoring capacity by approximately doubling its staff. But Treasury has not documented its objectives for this increase, which it based on an estimate rather than an assessment of its needs. Documenting these objectives would allow Treasury to assess whether the increased staffing enables it to meet them. Further, officials of other selected member agencies said their staffing levels affect their monitoring, and CFIUS has not previously coordinated on staffing. Regular staffing coordination would help ensure CFIUS member agencies can effectively monitor and enforce compliance. Why GAO Did This Study The U.S. is historically the world's largest recipient of foreign investment. This benefits the U.S. economy but can also present national security risks. CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the U.S. to identify risks to national security. To mitigate such risks, CFIUS has authority to enter into legal agreements with the companies involved and to monitor compliance with the agreements. Treasury serves as the committee's chair. GAO was asked to review issues related to CFIUS mitigation agreements. This report (1) describes trends in mitigation agreements from 2000 through 2022, (2) evaluates selected CFIUS member agencies' approaches to monitoring and enforcing compliance with mitigation agreements and reviewing them for continued relevance, and (3) assesses the selected agencies' staffing for monitoring and enforcement. GAO selected five member agencies on the basis of the number of mitigation agreements each agency manages. GAO reviewed laws, regulations, and agency guidance. GAO also conducted a nongeneralizable review of mitigation agreements and interviewed agency officials. This is a public version of a sensitive report GAO issued in January 2024. Information Treasury identified as sensitive has been omitted.

What GAO Found In this eighth annual review, GAO found that most federal agencies that could be subject to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended (IAA), have published civil monetary penalty inflation adjustments for 2023 in the Federal Register and reported related information in their 2023 or 2022 agency financial reports (AFR) or equivalent. However, one agency published its inflation adjustment in the Federal Register as of December 31, 2023, but did not report the required information in its 2023 AFR for its civil monetary penalties. Why GAO Did This Study The IAA includes a provision, added in 2015, for GAO to annually submit to Congress a report assessing agencies' compliance with the annual inflation adjustments the act requires. For more information, contact Paula M. Rascona at (202) 512-9816 or rasconap@gao.gov.

DOT administers billions of dollars in discretionary grants to improve transportation in the United States. To help ensure that DOT awards these grants to projects that best support needed improvements, the agency should implement our recommendations to enhance the clarity and transparency of its award processes. The Big Picture The nation's surface transportation system that moves both people and freight is aging and faces increasing demands on its use. Due to its potential impacts on public safety and economic growth, funding the nation's surface transportation system has been on GAO's High Risk list since 2007. The cost of repairing and upgrading the system continues to exceed the revenues available for improvements. As such, we have highlighted the importance of spending surface transportation funding wisely and efficiently. This is particularly true for the Department of Transportation (DOT), which provides funding to states and other eligible entities. DOT awards some of this funding through competitive (discretionary) grants. Typical DOT Discretionary Grant Application and Review Process The Infrastructure Investment and Jobs Act (IIJA) provided about $540 billion in funding for surface transportation for fiscal years 2022 through 2026. According to DOT, this included over $110 billion for DOT discretionary grant programs. We have recently reported on four of these programs. They received, in total, $24.5 billion in IIJA funding for fiscal years 2022 through 2026. These programs are: Rebuilding American Infrastructure with Sustainability and Equity (RAISE) ($7.5 billion), Infrastructure for Rebuilding America (INFRA) ($8 billion), Reconnecting Communities and Neighborhoods ($1 billion), and Capital Investment Grants (CIG) ($8 billion).  What GAO's Work Shows We reported that in fiscal year 2022 (the first year of IIJA funding), DOT awarded about $3.75 billion through the RAISE and INFRA programs. Award Totals for RAISE and INFRA Programs, by State and Territory, Fiscal Year 2022 Note: The total award amount shown on this map is about $3.75 billion. For fiscal year 2022, the INFRA program received funding from the IIJA and the RAISE program received funding from the IIJA and the Consolidated Appropriations Act, 2022. The map includes awards to all recipients within a state. As of April 2024, DOT announced an additional $5.2 billion (rounded to the nearest ten million) in awards in the next funding rounds for these two programs. $2.3 billion in awards for 162 projects throughthe RAISE program for fiscal year 2023. $2.9 billion in awards for 28 projects throughthe INFRA program for fiscal years 2023 and 2024. In work issued both before and after the passage of the IIJA, we found that DOT’s administration of discretionary grant programs did not always align with requirements set by the Office of Management and Budget and DOT, respectively, raising concerns over their consistency and transparency. For example: Inconsistent documentation. We found that while DOT generally followed the processes outlined in the notice of funding opportunity (NOFO) and its own internal guidance when evaluating INFRA applications, DOT did not consistently provide complete and accurate documentation on its evaluation process. This documentation would better ensure DOT’s consistent implementation of its policies as designed. Insufficient transparency. We found that DOT’s process for evaluating RAISE applications did not fully align with federal regulations and DOT guidance for ensuring the fairness and transparency of discretionary grant programs. For example, DOT did not publicly disclose two selection factors used to make award decisions in its NOFO. In addition, the Federal Transit Administration (FTA), which administers the CIG program, did not always provide project sponsors with clear information on its methods or the factors it considered when reviewing projects. Challenges and Opportunities From July 2020 through January 2024, we made 17 recommendations to improve the management of these four programs. As of February 2024, 16 of these recommendations remain open or partially open. Open recommendations include that: DOT identify all selection factors in its RAISE NOFO and document its specific rationale for not selecting certain projects; DOT establish quality control procedures to verify that its documentation is complete and clearly define its “exemplary project” criteria for advancing INFRA applications for potential selection; DOT establish performance measures for, and evaluate the results of, its Reconnecting Communities Pilot program; and FTA take steps to clarify the methods it uses and factors it considers when reviewing projects for CIG grants, and to communicate information to sponsors in a timely manner. Additionally, in 2016 we recommended that DOT issue department-wide requirements for discretionary grant programs. We made this recommendation based on finding similar documentation and transparency challenges in the administration of discretionary grant programs DOT awarded to improve the resilience of transit systems following Hurricane Sandy. We recommended requirements to document key decisions and to develop a plan for evaluating project proposals, including how the process will ensure a consistent review of applications. We subsequently designated this as a priority recommendation. In February 2024, DOT officials said that they are targeting the end of the calendar year to implement the recommendation. For more information, contact: Elizabeth Repko, RepkoE@gao.gov, (202) 512-2834.

What GAO Found Tactical and airport response plans and a federal interagency agreement describe the roles for responding to errant or malicious drone operations near airports. As described in these plans, local law enforcement authorities are expected to be the first to respond to a drone sighting. The federal government can assist in responding to an incident at an airport as outlined in the federal interagency agreement. The Departments of Homeland Security (DHS), Justice (DOJ), Defense, and Energy have express statutory authority to use counter-drone technologies if certain statutory criteria are met. They also have federal statutory exemptions from specified federal criminal laws that are potentially applicable to the use of such technologies. These technologies can be used at an airport by DHS and DOJ if the drone poses, for example, a credible threat to safety or security and the DHS Secretary or the Attorney General designates the airport for an emergency response. GAO concluded that modifications to statutory authorities for drone detection and counter-drone operations could better protect airports against an active drone threat. The Federal Aviation Administration (FAA) is testing drone detection and counter-drone technologies and is required to develop a plan for their use at airports. FAA is also pursuing several efforts to allow increased and routine drone operations. In various documents, FAA acknowledges the effects counter-drone technologies may have on other integration efforts but does not address how it will assess those effects. Including steps for this assessment in the agency's forthcoming drone integration strategy could help ensure that such technologies will work in harmony with FAA's other efforts, such as developing a drone traffic management system and rules for operating drones beyond operators' visual line of sight. Unauthorized Drone Flights Near Airports Present Safety and Security Threats This is a public version of a sensitive report that was issued in October 2023 and omits some information that DHS deemed sensitive. In some cases, the omitted information was, in part, the basis for GAO conclusions presented in this report. Why GAO Did This Study In recent years, FAA has reported a significant number of drone sightings at or near airports. FAA prohibits drone operations that interfere with airport operations. Whether errant or malicious, unauthorized drone flights around airports present safety and security threats and can result in flight delays. GAO was asked to review drone detection and mitigation issues at airports. This report examines (1) federal and local roles for responding to a drone incident at an airport, (2) federal legal authorities related to using drone detection and counter-drone technology at airports, and (3) FAA actions to plan for using the technology at airports and its effects on drone integration efforts. GAO reviewed relevant federal statutes, regulations, agency documents, and reports. GAO interviewed FAA and DHS, and 18 aviation, law enforcement, and other entities to obtain a range of perspectives. GAO also reviewed FAA planning documents to determine how counter-drone technologies were incorporated into FAA's drone integration efforts.

What GAO Found The U.S. Virgin Islands' (USVI) Government Employees' Retirement System (GERS) remains one of the lowest funded public pension plans in the United States, according to GAO's analysis of national data. These plans offer a lifetime benefit for government workers. While most public plans in GAO's review had sufficient expected assets to cover between 60 and 111 percent of plan liabilities as of 2021, GERS had enough to cover about 10 percent. To improve plan solvency, GERS has made changes to its plan since 2005—similar to eight other selected public plans, including in the four U.S. territories. These changes applied to all new hires and included decreasing benefits, increasing the retirement age, and increasing employee contributions. The USVI government secured additional funding for the plan through an excise tax on rum in April 2022. However, GERS continues to face the risk of insolvency. According to GAO's analysis, GERS may face insolvency within the next 10 years if the excise tax rate is lower than expected or if rum sales decline, among other risks. For example, the GERS' revenue projections for the excise tax used a $13.25 per proof gallon tax rate that expired in 2021 and reverted to a lower statutorily defined rate in 2022 ($10.50). While the USVI government has paid the resulting shortfall in 2023, it is not required and may not be sustainable. This could result in a long-term funding shortfall (see figure). GERS Funding Projections Using Different Excise Tax Rates on Rum According to interviews with stakeholders and plan officials, and literature GAO reviewed, a shared commitment between the government and the plan to ensure funding is adequate, resilient, achievable, and enforceable can help ensure a plan's promised benefits. The USVI government could consider several options to better ensure such benefits. For example, some governments have dedicated additional specific revenue streams, such as a portion of sales taxes, to their plans. In the past, GERS also received government funding for administrative expenses. The Department of the Interior can provide limited technical assistance upon request, such as for examining strategies to address risks. Why GAO Did This Study GERS is a defined benefit pension plan that covers all USVI government employees and retirees. It includes nearly 19,000 participants. The plan has historically been underfunded by the USVI government. In 2021, GERS actuaries projected that the plan would be insolvent by March 2025. The USVI government has made changes to the plan over the years to maintain its solvency, including providing GERS with additional funding in 2022. However, the plan continues to face uncertainties. GAO was asked to review the financial position of GERS. This report describes (1) how GERS compares with other public defined benefit pensions regarding funding and benefits, (2) risks GERS faces in being able to pay promised pension benefits, and (3) options for the USVI government and GERS to better ensure GERS provides promised pension benefits. GAO analyzed 2021 data on the characteristics of selected public pension plans from the Center for Retirement Research at Boston College, as well as 2021 and 2022 GERS data from the USVI government. In both cases, these were the most recently available data at the time of GAO's analysis. GAO reviewed publicly available information from eight public pension plans, selected to represent a mix of plan size and funding status. GAO also reviewed information from GERS actuaries and investment consultants and from relevant literature. GAO interviewed USVI and GERS officials; stakeholder groups such as actuary, state retirement administrator and other associations; and Department of the Interior officials. For more information, contact Tranchau (Kris) T. Nguyen at (202) 512-7215 or nguyentt@gao.gov, or Frank Todisco at (202) 512-2700 or todiscof@gao.gov.

What GAO Found Federal correctional and immigration detention facilities can place individuals in restrictive housing settings in certain circumstances. Restrictive housing generally consists of one- or two-person cells that isolate individuals from the general population. U.S. Immigration and Customs Enforcement (ICE) and the Bureau of Prisons (BOP) have policies and processes that govern their use of restrictive housing. Two prior studies examined restrictive housing at BOP, both of which identified ways for BOP to improve oversight. The first was a 2014 contracted assessment and the second was a 2016 Department of Justice report. In February 2024, GAO reported that BOP had not fully implemented 54 of 87 recommendations from these two studies. BOP had fully implemented 33, partially addressed 42, and had not taken any steps to address the remaining 12 recommendations. This was due in part to BOP not assigning responsibility for recommendation implementation to appropriate officials and not establishing a time frame for completion. GAO recommended that BOP develop and execute an approach to fully implement recommendations from these prior studies. This would include assigning implementation responsibility, establishing a time frame for completion, and monitoring progress. BOP concurred and described its planned steps. BOP and ICE have not consistently collected or used information needed for restrictive housing oversight. In reports from 2020–2024, GAO recommended actions to improve both BOP's processes for monitoring restrictive housing operations and BOP and ICE's analysis of complaints data. For example: In February 2024, GAO found that BOP was not monitoring key aspects of restrictive housing operations. Specifically, it did not examine the cause behind substantial racial disparity in a restrictive housing unit designed for individuals with heightened security concerns. GAO recommended that BOP conduct an evaluation to determine and address the cause of the racial disparity. BOP concurred and as of February 2024, said it would take steps to implement it. In August 2020 and February 2024, GAO found that neither ICE nor BOP was analyzing complaint data from those in its custody to identify areas for improvement, such as concerns over restrictive housing conditions. GAO made recommendations to ICE and BOP to analyze complaint data, which could help each agency identify trends and ultimately enhance oversight. As of December 2023, ICE has taken some steps, including integrating several data systems that store detention-related information into a new system to provide enhanced analysis capabilities. As of February 2024, BOP agreed to take steps toward implementation. Why GAO Did This Study ICE recorded 14,581 restrictive housing placements of detained noncitizens from fiscal years 2017 through 2021. Those placements increased by 18 percent from fiscal year 2017 to 2020 before declining in 2021. As of October 2023, BOP housed about 8 percent of all incarcerated individuals (approximately 11,600) in restrictive housing. Studies have shown some potentially harmful mental and physical impacts of such placements. This statement discusses the extent to which (1) BOP has addressed recommendations from two prior restrictive housing studies and (2) BOP and ICE have information needed to manage and oversee use of restrictive housing. This statement is based on three prior GAO reports published from August 2020 through February 2024, along with selected updates on ICE efforts to address previous GAO recommendations. To produce those reports, GAO reviewed ICE and BOP documentation, analyzed data, and interviewed agency officials. For selected recommendation updates, GAO reviewed documents and interviewed ICE officials.

What GAO Found GAO identified nine Department of Homeland Security (DHS) groups that are focused on sharing information internally within the department. GAO found the purpose of these groups was generally to facilitate information sharing for one of the following three purposes: (1) leadership decision-making; (2) internal policymaking, or (3) threat identification.  Categories of Department of Homeland Security (DHS) Internal Information Sharing Groups and Their Purpose Note: These groups were operational any time from January 1, 2020, through September 30, 2023.aDHS discontinued the Operations Deputies Board in 2022 as part of a departmental reorganization initiative. Although there was no evidence of unnecessary duplication among these nine groups, GAO found that some of the groups' purposes and activities had the potential for overlap. In those instances, GAO also found that agency officials associated with these groups described activities to leverage their respective resources and information—a leading interagency collaboration practice—to mitigate possible duplication. For example, according to DHS officials, the Homeland Security Intelligence Council, which is composed of less senior staff than the Counter Threats Advisory Board, schedules its meetings to occur a month or so before board's meetings. This allows the more detailed information from the council meetings to inform meetings of more senior staff serving on the board. Why GAO Did This Study GAO was asked to review the number and purpose of groups DHS uses to promote information sharing across its headquarters offices and components. This report (1) describes the various groups DHS uses to promote internal information sharing and their purpose and operating status and (2) identifies the extent to which any similar groups collaborate to avoid duplicating efforts. GAO identified information sharing groups with select characteristics that were operational any time between January 1, 2020, and September 30, 2023, the most recent calendar years at the time GAO distributed its request for information to DHS. GAO reviewed documentation, such as charters, policies, and procedures, and interviewed relevant DHS headquarters and component officials about the history of the information sharing groups it identified. For more information, contact Triana McNeil at: 202-512-8777 or McNeilT@gao.gov.

What GAO Found The Department of Health and Human Services (HHS) estimated a combined total of over $100 billion in improper payments in the Medicare and Medicaid programs in fiscal year 2023. This represents 43 percent of the government-wide total of estimated improper payments that agencies reported for that year. Improper Payments Estimates for Fiscal Year 2023 Note: Estimates also include payments whose propriety cannot be determined due to lacking or insufficient documentation. The Centers for Medicare & Medicaid Services (CMS), within HHS, has taken several steps in response to GAO recommendations to help reduce improper payments in Medicare and Medicaid. These actions have resulted in billions of dollars in federal savings. For example: Improved fraud prevention in Medicare. CMS implemented capabilities that automatically stopped payments of certain improper and non-payable claims. These improvements generated an estimated almost $2 billion in savings over a 5-year period. Improved Medicaid managed care oversight. CMS worked with states and audit contractors to improve oversight. This included an exponential increase in investigations of managed care providers, from 16 in 2016 through 2018 to 893 in 2019 through 2021. Preliminary results indicate that the audits are identifying overpayments. In the current fiscal environment, addressing improper payments and providing sufficient oversight of program spending, more generally, is particularly important. Federal spending for Medicare and Medicaid has grown by almost 80 percent over the past decade and growth in these and other health programs is projected to continue. Health Care and Other Government Program Spending, Actual and Projected CMS and congressional action on GAO recommendations related to Medicare and Medicaid has resulted in over $200 billion in financial benefits since 2006. Action on recommendations that remain unimplemented would further enhance program integrity and save billions of dollars in Medicare and Medicaid spending. Provider screening and enrollment. GAO recommended CMS expand its review of states' implementation of provider screening and enrollment requirements in Medicaid, and monitor progress when states are not fully compliant. For Medicare, GAO recommended that CMS implement a risk-based plan for revalidating enrollment for Medicare providers after pauses during the COVID-19 pandemic. Prepayment claim reviews in Medicare. GAO recommended that CMS seek legislative authority to allow Recovery Auditors to conduct prepayment claim reviews, which are generally more cost effective than postpayment reviews in preventing improper payments. Equalizing certain Medicare payments. GAO recommended that Congress take action to address that Medicare pays more for certain services based on where they are provided. Congress has taken some actions. For example, this committee proposed and the House passed legislation to equalize payments for certain drug administration services. Taking additional steps to equalize payments has been estimated to save Medicare $141 billion over 10 years. Telehealth. In response to the COVID-19 pandemic, HHS temporarily waived certain Medicare restrictions on telehealth and use increased dramatically. We recommended CMS comprehensively assess the quality of telehealth services in Medicare, which is needed to ensure those services are medically necessary, among other things. Medicaid demonstrations. In response to GAO recommendations, CMS has made changes to its policies for ensuring that demonstrations do not increase federal spending, reducing federal liabilities by over $120 billion. Additional action by CMS and Congress could result in further savings. State auditors. State auditors play an important role in Medicaid oversight and have identified improper payments and other deficiencies through their reviews. GAO recommended that CMS use trends in state auditor findings to inform its Medicaid oversight and share information on the status of actions to address findings with state auditors. Why GAO Did This Study In 2023, the Medicare program spent an estimated $1.0 trillion to provide health care services for approximately 66 million elderly and disabled individuals. This involved processing over a billion transactions. Medicaid is a joint federal-state program that finances health care for low-income and medically needy individuals. It is the second largest health care program by expenditures, with an estimated $849 billion in federal and state spending for services provided to about 90 million individuals in 2023. Medicare and Medicaid are complex and large programs. They represented 26 percent of federal program spending in fiscal year 2023. The programs are susceptible to improper payments, as well as potential mismanagement and fraud, waste, and abuse. As a result, GAO added Medicare to its High-Risk list in 1990 and Medicaid in 2003. This testimony focuses on examples of steps taken by CMS to reduce improper payments in Medicare and Medicaid, as well as actions still needed by CMS and Congress. It draws on GAO's reports issued and recommendations made from 2008 through 2024 on the Medicare and Medicaid programs and known steps CMS has taken to address these recommendations as of March 2024.

What GAO Found The amount of funding available for Department of Defense (DOD) counternarcotics and counter–transnational organized crime activities changed from about $750 million in fiscal year (FY) 2018 to about $580 million in FY 2022. In FY 2022, DOD allocated most of the funding to support detection and monitoring activities and allocated the remainder to support intelligence activities and efforts, such as constructing training facilities, in partner nations. DOD's six geographic combatant commands—DOD components responsible for efforts in designated geographic areas—coordinate on activities. However, three reported varying understandings of their roles in an overlapping joint operation area, including confusion over the management of air and naval operations. Although DOD required the three commands to develop agreements defining their responsibilities, the three commands have not fully documented their roles in the overlapping joint operation area. Without such agreements, confusion about the commands' responsibilities in the area may continue, reducing DOD's ability to disrupt the transport of illicit drugs to the U.S. Map Showing Overlap of Joint Operation Area DOD has not assessed the agency-wide effectiveness of its counternarcotics and counter–transnational organized crime activities and does not have a plan for future assessments. DOD has defined its strategic objectives, strategies, and performance goals. But contrary to key practices, it has not identified measurable outcomes for each strategic objective. As a result, DOD cannot measure progress toward these objectives. Officials also said they intend to assess agency-wide progress but have not developed a plan to do so. Assessing agency-wide progress toward its strategic objectives would better position DOD to make decisions about priorities, resource allocations, and strategies for improvements. Why GAO Did This Study The U.S. government has identified illicit drugs, as well as the criminal organizations that produce and traffic them, as significant threats to both the U.S. and partner nations. DOD is the lead department responsible for detecting and monitoring the aerial and maritime transport of illicit drugs to the U.S. Senate report 117-130 accompanying the FY 2023 National Defense Authorization Act contains a provision for GAO to examine issues related to counternarcotics and counter–transnational organized crime activities. This report examines (1) funding available for DOD's activities and funding allocation in FYs 2018 through 2022; (2) the extent to which DOD components coordinate activities; and (3) how DOD assessed the effectiveness of these activities, and the extent to which its future assessments align with key practices. GAO reviewed DOD documents and data about its authorities, funding, and activities, including coordination and performance management. GAO also interviewed DOD officials, including officials at headquarters and combatant commands.

What GAO Found GAO estimated total direct annual financial losses to the government from fraud to be between $233 billion and $521 billion, based on data from fiscal years 2018 through 2022. The range reflects the different risk environments during this period. Ninety percent of the estimated fraud losses fell in this range. GAO collected data from three key sources to develop the estimate: investigative data, such as the number of cases sent for prosecution and the dollar value of closed cases; Office of Inspector General (OIG) semiannual report information; and confirmed fraud data reported to the Office of Management and Budget (OMB) by agencies. GAO organized these data around three fraud categories—adjudicated, detected potential, and undetected potential. Model design and validation were also informed by 46 fraud studies. OIG and other knowledgeable officials agreed with these categories and subcategories. Categories of Fraud-Related Data Used in GAO's Estimate GAO's approach is sensitive to the assumptions made about fraud and accounts for data uncertainty and limitations. GAO used a well-established probabilistic method for estimating a range of outcomes under different assumptions and scenarios where there is uncertainty. The estimate does not include fraud loss associated with federal revenue or fraud against federal programs that occurs at the state, local, or tribal level unless federal authorities investigated and reported it. GAO's estimate is in line with other estimates of fraud losses from the United Kingdom and Association of Certified Fraud Examiners, among others. As a first of its kind government-wide estimate of federal dollars lost to fraud, there are known uncertainties associated with the model and underlying data important to interpreting the results. These include caveats related to applying the estimate to agencies or programs. GAO's model was developed to estimate government-wide federal fraud. The fraud estimate's range represents 3 to 7 percent of average federal obligations. These percentages should not be applied at the agency or program level. While every federal program and operation is at risk of fraud, the level of risk can vary substantially. Controls, growth or shrinkage of budget, and the emergence of new fraud schemes are some reasons the risk level can vary; drawing conclusions about pandemic fraud. GAO's estimate is based on data from fiscal years 2018 through 2022. The data include time periods and programs with and without pandemic-related spending. Therefore, the estimate includes, but is not limited to, pandemic-related spending fraud. While the upper range of the estimate is associated with higher-risk environments, it is not possible to break out a subset of our government-wide estimate to describe pandemic program fraud; comparing with improper payment estimates. GAO's estimate is not comparable to improper payment estimates. Improper payment estimates are based on a subset of federal programs, using a methodology not designed to identify fraud. GAO has also consistently reported that the federal government does not know the full extent of improper payments and has long recommended that agencies improve their improper payment reporting. In contrast, GAO's fraud estimate includes all federal programs and operations and is based on fraud-related data. With these differences in scope and data, the upper end of GAO's estimated fraud range exceeded annual improper payment estimates; and assuming the estimate is predictive. GAO's estimate is not based on a predictive model. Factors such as the amount of emergency spending, the effectiveness of federal fraud risk management, and the nature of new fraud threats could substantially impact the scale of future fraud. GAO has previously issued Matters for Congressional Consideration and recommendations to improve agencies' program integrity, including fraud risk management. Fraud estimation provides opportunities to improve fraud risk management, according to OIG and agency officials. For example, estimates can demonstrate the scope of the problem, improve oversight prioritization, and help determine the return on investment from fraud risk management activities. While it is not possible to eliminate fraud, with a better understanding of the costs, agencies will be better positioned to manage the risk. How Fraud Estimates Can Improve Fraud Risk Management OIG and agency officials noted challenges in producing fraud estimates, such as limited available fraud-related data and use of varying terms and definitions of fraud for recording data. These data gaps and variability result in information that cannot be readily compared or consolidated to determine the extent of fraud across the federal government. Guidance for collecting and reporting fraud-related data is currently limited to OIG semiannual reports and confirmed fraud reported by agencies to OMB, which are not designed to support fraud estimation. With guidance targeted to the purpose of fraud estimation, agencies and OIGs would be better positioned to collect and report data on potential and adjudicated fraud in support of estimation efforts. OIG and agency officials also noted the utility of agency or program-level estimates compared with government-wide estimates. They further noted the need for expertise and data-analytics capacity to produce estimates. GAO previously reported that agencies identified limitations in expertise, data, and tools as a significant challenge for their fraud risk management efforts. These challenges could also impact agencies' ability to develop effective fraud estimates at a program or agency level. The Department of the Treasury's Office of Payment Integrity (OPI) supports agencies facing such challenges. OPI's resources are dedicated to preventing and detecting improper payments through a variety of data-matching and data-analytics services. Therefore, OPI is well positioned—with the expertise, data, and analytic tools—to evaluate and advance methods that the federal government can take to estimate fraud in support of fraud risk management. Why GAO Did This Study All federal programs and operations are at risk of fraud. Therefore, agencies need robust processes in place to prevent, detect, and respond to fraud. While the government obligated almost $40 trillion from fiscal years 2018 through 2022, no reliable estimates of fraud losses affecting the federal government previously existed. As part of GAO's work on managing fraud risks, this report (1) estimates the range of total direct annual financial losses from fraud based on 2018-2022 data and (2) identifies opportunities and challenges in fraud estimation to support fraud risk management. GAO estimated the range of total direct annual financial losses from fraud based on 2018-2022 data using a Monte Carlo simulation model. GAO identified opportunities and challenges through interviews and data collection focused on 12 agencies representing about 90 percent of federal obligations.

What GAO Found Private health plans contract with pharmacy benefit managers (PBM) to administer their prescription drug benefits and help control costs. Each of the five states selected for review—Arkansas, California, Louisiana, Maine, and New York—enacted a variety of laws to regulate PBMs. Fiduciary or other “duty of care” requirements. Four of the five states (California, Louisiana, Maine, and New York) enacted laws to impose a duty of care on PBMs. The laws varied from imposing a fiduciary duty—that is, a requirement to act in the best interest of the health plan or other entity to which the duty is owed—to what state regulators described as “lesser” standards such as a requirement to act in “good faith and fair dealing.” Drug pricing and pharmacy reimbursement requirements. The five states enacted a variety of laws relating to drug pricing and pharmacy payments, such as laws limiting PBMs' use of manufacturer rebates and their ability to pay pharmacies less than they charge health plans—a practice referred to as “spread pricing.” Transparency, including licensure and reporting requirements. To increase the transparency of PBM operations, the five states enacted laws that require PBMs to be licensed by or registered with the state, or both, and to report certain information such as drug pricing, fees charged, and the amounts of rebates received and retained. Pharmacy network and access requirements. The five states also enacted laws regarding pharmacy networks and patient access. Examples include laws prohibiting discrimination against unaffiliated pharmacies and limiting patient co-pays charged by PBMs. The regulators GAO interviewed from selected states described lessons learned regarding PBM regulation. Examples include the following. Regulators in four states said that providing regulators with broad regulatory authority was more effective than enacting specific statutory provisions. Doing so allowed regulators to address emerging issues without new legislation, according to regulators from one state. Some regulators also stressed the need for robust enforcement of PBM laws and effective penalties to enforce them. Two pharmacy associations GAO interviewed concurred with these views, while a health plan association said that monitoring is needed to ensure compliance with PBM requirements. Three regulators also said that clear reporting requirements and definitions helped ensure consistent enforcement. The Department of Labor provided technical comments on a draft copy of this report, which GAO incorporated as appropriate. Why GAO Did This Study Prescription drug spending by private health plans climbed to nearly $152 billion in 2021, an 18 percent increase from 2016. Health plans generally rely on PBMs to process claims, develop pharmacy networks, and negotiate rebates from drug manufacturers. However, some researchers and stakeholders have questioned certain PBM practices, such as PBMs retaining a share of the rebates and use of spread pricing. In response, states have begun to enact legislation addressing PBMs, with all 50 states having enacted at least one PBM-related law between 2017 and 2023. GAO was asked to review states' regulation of PBMs serving private health plans. Among other things, this report describes actions selected states have taken to regulate PBMs, and lessons learned that state regulators identified for PBM regulation. GAO focused on a selection of five states that have enacted a wide range of PBM laws, based on existing inventories maintained by national policy research organizations, such as the National Conference of State Legislatures. GAO reviewed states' laws and interviewed state regulators as well as a variety of other stakeholders. These included state pharmacy associations and state health plan associations in each of the five states, and four national organizations representing interests of PBMs, patients, employers, and drug manufacturers, respectively. For more information, contact John E. Dicken at (202) 512-7114 or dickenj@gao.gov.

What GAO Found The F-35 Lightning II aircraft (F-35) is the Department of Defense's (DOD) most ambitious and costly weapon system and its most advanced fighter aircraft. DOD operates and sustains about 630 F-35 aircraft and plans to buy about 2,500 total by the mid-2040s with a projected planned life into the 2080s. However, DOD's projected costs for sustaining the F-35 continue to increase while planned use of the aircraft declines. Specifically: Sustainment cost estimates have increased 44 percent, from $1.1 trillion in 2018 to $1.58 trillion in 2023. DOD's planned use of the F-35 and its availability have decreased. The Air Force, Navy, and Marine Corps project they will fly the F-35 less than originally estimated on an annual basis. The F-35 fleet's overall availability has trended downward considerably over the past 5 years, and none of the variants of the aircraft (i.e., the F-35A, F-35B, and F-35C) are meeting availability goals. The Air Force, Navy, and Marine Corps' have made progress in meeting their affordability targets (i.e., the amount of money they project they can afford to spend per aircraft per year for operating the aircraft). This is due in part to the reduction in planned flight hours, and because the Air Force increased the amount of money it projects it can afford to spend. DOD currently estimates the Air Force will pay $6.6 million annually to operate and sustain an individual aircraft. This continues to be well above the $4.1 million original target. In June 2023, the Air Force increased the amount of money it can afford to spend per F-35 aircraft to $6.8 million per year. DOD has pursued cost savings efforts and continues to look for new ways to reduce costs. However, DOD officials generally agree that these efforts are not likely to fundamentally change the estimated costs to operate the aircraft. Why GAO Did This Study DOD plans to use the F-35 aircraft through 2088 and plans to spend over $2 trillion on acquisition and sustainment. The National Defense Authorization Act for Fiscal Year 2022 includes a provision for GAO to conduct an annual review of F-35 sustainment efforts, including DOD's ability to reduce sustainment costs, or otherwise maintain the affordability of the F-35 fleet. This report provides information on the F-35's sustainment cost estimates over the life of the program, actions taken by the F-35 Joint Program Office to reduce sustainment costs, and the extent to which the F-35 fleet has met performance goals. GAO analyzed DOD's F-35 sustainment cost estimates and performance data and interviewed cognizant DOD officials about these issues.

What GAO Found As of February 2024, DOD testing had not detected any per-and polyfluoroalkyl substances (PFAS) in the active drinking water shaft at Joint Base Pearl Harbor-Hickam. PFAS are a large group of heat and stain resistant chemicals that can persist in the environment—including in water, soil, and air—for decades or longer. In November 2022, during maintenance activities 1,300 gallons of aqueous film-forming foam (AFFF) concentrate was released from a pipe in a tunnel at the Red Hill Bulk Fuel Storage Facility at Joint Base Pearl Harbor-Hickam in Hawaii. Because AFFF—a product used to fight flammable liquid fires—contains PFAS, this incident raised concerns about PFAS in the installation's drinking water and how the Department of Defense (DOD) remediates PFAS contamination at the installation. Following the AFFF release, DOD took immediate action to ensure the AFFF was contained and removed from the affected area. Both DOD and the Environmental Protection Agency (EPA) have since completed investigations of the November 2022 AFFF release and issued final reports. Both investigations recommended that (1) increased government oversight of AFFF-related activities at the Red Hill facility was necessary, (2) all AFFF concentrate should be removed from the Red Hill facility, and (3) the AFFF system at Red Hill should be decommissioned. On April 10, 2024, EPA announced a National Primary Drinking Water Regulation establishing allowable levels of 4 parts per trillion for certain PFAS in drinking water (one part per trillion is equivalent to a single drop of water in 20 Olympic-sized swimming pools). Prior to this, PFAS in drinking water were not regulated at the federal level. However, in 2016, under the authority of the Safe Drinking Water Act, EPA published health advisory levels of 70 parts per trillion for certain PFAS in drinking water. Since 2016, DOD has had policies in place for monitoring PFAS levels in drinking water at its installations at 70 parts per trillion. Joint Base Pearl Harbor-Hickam regularly monitors for PFAS in its active drinking water shaft at frequencies required by DOD policy and requests by EPA and the state of Hawaii. While PFAS have not been detected in the active drinking water shaft at the installation, low amounts of PFAS falling below 70 parts per trillion have been detected in the installation's two inactive drinking water shafts. These two shafts are currently not in use and according to DOD officials, the PFAS detected are not due to the November 2022 AFFF release. According to DOD policy and officials we met with, DOD will implement and comply with the April 2024 EPA regulation. PFAS contamination at Joint Base Pearl Harbor-Hickam is being addressed by DOD's environmental restoration program. Through this program the Navy has identified 32 sites of known or potential PFAS contamination (e.g., soil or groundwater) at Joint Base Pearl Harbor-Hickam and is taking steps to assess these sites and, where appropriate, develop plans for their long-term cleanup. The Navy has finalized its preliminary assessment and site inspection reports for these 32 sites, with recommendations for the areas in 20 of these sites to advance to the in-depth remedial investigation phase of the environmental cleanup program. The remaining 12 sites were found to have no documentation of past use of AFFF or other potentially PFAS-containing products or materials. Why GAO Did This Study DOD has policies related to monitoring PFAS levels in drinking water at its installations, long term cleanup of PFAS contamination, and use and disposal of products containing PFAS. According to EPA, exposure to certain PFAS may have adverse effects on human health, including effects on fetal development, the immune system, and the thyroid, and may cause liver damage and cancer. GAO was asked to examine DOD efforts to address PFAS contamination at Joint Base Pearl Harbor-Hickam. This report describes DOD's response to the November 2022 AFFF release at the installation; DOD processes for ongoing monitoring and long-term cleanup of PFAS at Joint Base Pearl Harbor-Hickam; and DOD's and EPA's policies addressing PFAS in the environment. To conduct this work, GAO reviewed and summarized information from previous GAO reports and relevant DOD, EPA, and state of Hawaii guidance, policies, and other documentation on regulating release, response, use, and disposal of PFAS-containing substances. GAO interviewed DOD, EPA, and state of Hawaii officials and conducted a site visit to Joint Base Pearl Harbor-Hickam to observe the site of the November 2022 AFFF release. GAO met with Navy and state of Hawaii officials to understand the Navy's response to and cleanup of the release, as well as ongoing efforts to monitor and cleanup PFAS at Joint Base Pearl Harbor-Hickam. For more information, contact Alissa Czyz at (202) 512-3058 or CzyzA@gao.gov.