GAO - OIG

Science & Tech Spotlight: Combating Deepfakes

Why This Matters Malicious use of deepfakes could erode trust in elections, spread disinformation, undermine national security, and empower harassers. Key Takeaways Current deepfake detection technologies have limited effectiveness in real-world scenarios. Watermarking and other authentication technologies may slow the spread of disinformation but present challenges. Identifying deepfakes is not by itself sufficient to prevent abuses. It may not stop the spread of disinformation, even after the media is identified as a deepfake. The Technology What is it? Deepfakes are videos, audio, or images that have been manipulated using artificial intelligence (AI), often to create, replace, or alter faces or synthesize speech. They can seem authentic to the human eye and ear. They have been maliciously used, for example, to try to influence elections and to create non-consensual pornography. To combat such abuses, technologies can be used to detect deepfakes or enable authentication of genuine media. Detection technologies aim to identify fake media without needing to compare it to the original, unaltered media. These technologies typically use a form of AI known as machine learning. The models are trained on data from known real and fake media. Methods include looking for (1) facial or vocal inconsistencies, (2) evidence of the deepfake generation process, or (3) color abnormalities. Authentication technologies are designed to be embeddedduring the creation of a piece of media. These technologies aim to either prove authenticity or prove that a specific original piece of media has been altered. They include: Digital watermarks can be embedded in a piece of media, which can help detect subsequent deepfakes. One form of watermarking adds pixel or audio patterns that are detectable by a computer but are imperceptible to humans.The patterns disappear in any areas that are modified, enabling the owner to prove that the media is an altered version of the original. Another form of watermarking adds features that cause any deepfake made using the media to look or sound unrealistic. Metadata—which describe the characteristics of data in a piece of media—can be embedded in a way that is cryptographically secure. Missing or incomplete metadata may indicate that a piece of media has been altered. Blockchain. Uploading media and metadata to a public blockchain creates a relatively secure version that cannot be altered without the change being obvious to other users. Anyone could then compare a file and its metadata to the blockchain version to prove or disprove authenticity. Figure 1. Examples of Deepfake Detection and Authentication How mature is it? Detection technologies. According to recent studies, existing detection methods and models may not accurately identify deepfakes in real-world scenarios. For example, accuracy may be reduced if lighting conditions, facial expressions, or video or audio quality are different from the data used to train the detection model, or if the deepfake was created using a different method than that used in the training data. Further, future advances in deepfake generation are expected to eliminate hallmarks of current deepfakes, such as abnormal eye blinking. Authentication technologies. These technologies are not new, but their use in combating deepfakes is an emerging area. Several companies offer authentication services, including using digital watermarks, metadata, and blockchain technologies. Some claim to let website visitors authenticate media found on the internet, provided the original is in the company’s database. Prominent social media companies are also beginning to label AI-generated content. Opportunities Combined defenses. Using multiple detection and authentication methods may help to identify deepfakes. Updated training datasets. Including diverse and recent media in training data could help detection models keep up with the latest deepfake generation techniques. Competitions. Deepfake detection competitions could encourage the development of more accurate detection tools and models. One 2019 competition included over 2,000 participants and generated over 35,000 models. Challenges Disinformation and public trust. Disinformation can spread from the moment a deepfake is viewed, even if it is identified as fraudulent. Further, trust in real media may be undermined by false claims that real media is a deepfake or if people do not trust a detection model’s results. Adaptation to detection. Techniques and models used to identify deepfakes tend to lead developers to create more sophisticated deepfake generation techniques. Policy Context and Questions Are current laws and regulations adequate to address evolving concerns about the malicious use of deepfakes? How do they address data security, privacy concerns, and First Amendment considerations, such as a deepfake creator’s freedom of speech and expression? What entities (e.g., government, nonprofit, private company) should make decisions about identifying and blocking deepfakes, or about when and how to sanction those who produce or disseminate them? How can organizations across society coordinate on the development and improvement of deepfake detection and authentication technologies? What standards could be used or developed to evaluate these technologies? Selected GAO Work Science & Tech Spotlight: Deepfakes, GAO-20-379SP Technology Assessment: Blockchain, GAO-22-104625 Selected References Gourav Gupta, Kiran Raja, Manish Gupta, Tony Jan, Scott Thompson Whiteside, and Mukesh Prasad, “A Comprehensive Review of DeepFake Detection Using Advanced Machine Learning and Fusion Methods,”Electronics, vol. 13, no. 95 (2024) https://doi.org/10.3390/electronics13010095. National Security Agency, Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency,Contextualizing Deepfake Threats to Organizations, Sept. 2023. For more information, contact Brian Bothwell at (202) 512-6888 or bothwellb@gao.gov.

Anti-Money Laundering: Better Information Needed on Effectiveness of Federal Efforts

What GAO Found Financial institution representatives that GAO interviewed identified actions the Financial Crimes Enforcement Network (FinCEN) could take to enhance the institutions' ability to identify and report suspicious activity. These include more updates on priority threats and tips to improve suspicious activity reports (SAR), which institutions file if they identify potential criminal activity. FinCEN may cover some of these actions as it implements the Anti-Money Laundering Act of 2020, the aims of which include improving information sharing and technology. GAO identified 31 sections in the Anti-Money Laundering Act of 2020 for which FinCEN is responsible for implementing. For example, FinCEN is to establish standards for financial institutions to test new anti-money laundering-related technology. As of November 2023, GAO found that FinCEN collectively had described its progress in implementing 19 sections through multiple publications and in varying detail. More complete disclosure of FinCEN's progress implementing the act would provide greater transparency and accountability. FinCEN surveys law enforcement agencies about their use of and satisfaction with FinCEN's products and services, such as its database of SARs. However, the surveys may not provide reliable information. FinCEN's 2018–2022 surveys had low response rates (ranging from 2 to 10 percent), raising the risk of biased results that do not represent the views of all agencies. FinCEN also did not analyze and adjust, as needed, results for nonresponse bias. As a result, the surveys may not provide FinCEN with a complete and reliable picture of law enforcement's satisfaction with its products and services. Federal agencies, including the Departments of Justice and Homeland Security, individually track outcomes of their illicit finance investigations (e.g., convictions and forfeitures). Some Justice data track these outcomes across multiple federal agencies (see figure). However, comprehensive, government-wide data do not exist because data collection is fragmented across multiple agencies and data may be incomplete. Developing a consistent methodology to comprehensively track outcomes would better inform federal agencies and Congress about the results and effectiveness of U.S. efforts to combat illicit finance. Outcomes of Defendants Charged under Money Laundering-Related Statutes, Fiscal Years 2018–2022 Why GAO Did This Study Criminal organizations launder illicit proceeds to facilitate and conceal crime. The Bank Secrecy Act, as amended, requires financial institutions to file SARs (which help law enforcement investigate crime) under certain conditions. FinCEN administers the act and maintains these reports in a database. GAO was asked to review U.S. efforts to combat illicit finance. This report examines (1) financial institution suggestions to enhance SAR processes, (2) FinCEN communication of its progress implementing the Anti-Money Laundering Act, (3) FinCEN surveys on law enforcement satisfaction with its products and services, and (4) data collection on efforts to combat illicit finance. GAO reviewed laws, guidance, and investigation data and interviewed FinCEN and federal law enforcement agencies. GAO also interviewed a nongeneralizable selection of 46 representatives of financial institutions and industry associations (such as banks, casinos, money services businesses, and broker-dealers).

Facial Recognition Technology: Federal Law Enforcement Agency Efforts Related to Civil Rights and Training

What GAO Found Seven law enforcement agencies within the Departments of Justice (DOJ) and Homeland Security (DHS), such as the Federal Bureau of Investigation and U.S. Secret Service, reported using facial recognition technology to support criminal investigations. Three of the seven agencies reported owning facial recognition technology. All seven reported using systems owned by other entities, such as state and local entities and nongovernment service providers. In September 2023, GAO found that three of the seven agencies had policies or guidance specific to facial recognition technology that were intended to help protect civil rights and civil liberties. The other four agencies—three in DOJ and one in DHS—did not have such policies or guidance. We also found that DOJ had taken steps to issue a department-wide policy but had faced delays. After our September 2023 report, DHS finalized a department-wide policy, which includes topics such as limiting the use of the technology; protecting privacy, civil rights, and civil liberties; and testing and evaluation of the technology. DOJ also said it has developed an interim policy on facial recognition technology with topics such as the protection of civil rights and civil liberties, and training requirements. However, GAO did not have an opportunity to review and confirm that information. The seven agencies reported using four nongovernment facial recognition services in total from October 2019 through March 2022 to support criminal investigations. All seven agencies had initially used these services without first requiring staff to take training on topics such as how facial recognition technology works, what photos are appropriate to use, and how to interpret results. GAO found that, cumulatively, agencies with available data reported conducting about 60,000 searches using facial recognition services when they did not have training requirements in place. Two of the seven agencies ultimately implemented training requirements as of April 2023. Of the remaining five agencies, two continued to use facial recognition services and three halted their use of the services as of April 2023. Facial Recognition Services Use and Training for Selected Agencies, April 2023 Note: The figure shows when agencies used the four services covered by our review (services used from October 2019 through March 2022), and when, if at all, agencies implemented training requirements for facial recognition services. The figure provides use and training information as of April 2023. See figure 2 of the statement for more detail. Why GAO Did This Study Law enforcement agencies may use facial recognition technology to help solve crimes. For example, the technology can allow users to quickly search through billions of photos to help identify an unknown suspect in a crime scene photo. Civil rights and civil liberties advocates have cautioned that an overreliance on the technology in criminal investigations could lead to the arrest and prosecution of innocent people, or that its use at certain events (e.g., protests) could have a chilling effect on individuals' exercise of their First Amendment rights. GAO was asked to testify before the United States Commission on Civil Rights on the use of facial recognition technology by DHS and DOJ. This statement discusses GAO's prior work examining the extent to which seven selected law enforcement agencies have (1) owned and used facial recognition technology, (2) developed policies to help protect civil rights and civil liberties related to its use, (3) required staff to take training prior to use, and (4) taken steps to address selected privacy requirements. This statement is based on reports published from 2021 through 2023 related to federal law enforcement agencies' use of facial recognition technology. To conduct that prior work, GAO administered a survey questionnaire to 42 federal agencies that employ law enforcement officers regarding their use of the technology, including the seven agencies that are the focus of this statement. GAO also reviewed relevant documents and interviewed agency officials. GAO selected the seven agencies because they previously reported owning or using facial recognition technology systems.

Cybersecurity: Improvements Needed in Addressing Risks to Operational Technology

What GAO Found Operational technology (OT) systems and devices are used to control, among other things, distribution processes (e.g., oil and natural gas pipelines) and production systems (e.g., electric power generation). Figure 1 shows the key components of an OT system using a pipeline system as an illustrative example. Figure 1: Key Components of a Pipeline Operational Technology (OT) System Although 12 of the 13 selected nonfederal entities cited examples of positive experiences with the Cybersecurity and Infrastructure Security Agency's (CISA) OT products and services, CISA and seven of the nonfederal entities identified two types of associated challenges. Specifically: Seven selected nonfederal entities identified negative experiences using CISA's products and services as a challenge. For example, one nonfederal entity told GAO that vulnerabilities reported through CISA's process often take more than a year between the initial report of a vulnerability and public disclosure (see figure 2). CISA officials and one nonfederal entity identified the insufficient CISA staff with requisite OT skills as a challenge. For example, CISA officials stated that its four federal employees and five contractor staff on the threat hunting and incident response service are not enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time. To address these types of challenges, best practices highlight the importance of (1) measuring customer service and (2) performing effective workforce planning. However, CISA has not fully addressed these practices. Until CISA does so, the agency will not be optimally positioned to deliver products and services needed to address OT risks. Figure 2: Cybersecurity and Infrastructure Security Agency (CISA) Operational Technology (OT) Cybersecurity Products and Services Six of the seven selected agencies cited examples of where their collaboration with CISA yielded positive outcomes to addressing cyber OT risks. However, four agencies also identified two challenges in coordinating with CISA: (1) CISA ineffectively sharing information with critical infrastructure owners and operators, and (2) CISA and the Pipeline and Hazardous Materials Safety Administration lacking a process to share cyber threat information with owners and operators. To address these types of challenges, it is important to adopt leading collaboration practices. However, CISA did not fully address any of five selected leading collaboration practices when coordinating with seven selected agencies (see table). Extent to Which the Cybersecurity and Infrastructure Security Agency (CISA) Addressed Selected Leading Collaboration Practices with Seven Selected Agencies to Mitigate Cyber Operational Technology Risks to Critical Infrastructure Collaboration practices CESER DC3 FRA NSA PHMSA TSA USCG Define common outcomes ◑ ◑ ◑ ◑ ◑ ◑ ◑ Ensure accountability ○ ○ ◑ ○ ◑ ◑ ◑ Bridge organizational cultures ◑ ◑ ◑ ◑ ◑ ◑ ◑ Clarify roles and responsibilities ◑ ◑ ◑ ◑ ◑ ◑ ◑ Develop and update written guidance and agreements ○ ◑ ○ ○ ○ ○ ◑ Source: GAO analysis of agency information. | GAO 24 106576 Legend: ●=Generally addressed. ◑=Partially addressed. ○=Not addressed. Note: CESER (Cybersecurity, Energy Security, and Emergency Response), DC3 (Department of Defense Cyber Crime Center), FRA (Federal Railroad Administration), NSA (National Security Agency), PHMSA (Pipeline and Hazardous Materials Safety Administration), TSA (Transportation Security Administration), and USCG (U.S. Coast Guard). The practices were not fully addressed, in part, because of the lack of (1) guidance from CISA to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues and (2) a CISA policy for developing agreements with sector risk management agencies with respect to collaboration. Until CISA takes action to address these weaknesses, it and the selected agencies will not be well-positioned to coordinate on mitigating cyber OT risks. Why GAO Did This Study Much of the nation's critical infrastructure relies on OT—systems that interact with the physical environment—to provide essential services. However, malicious cyber actors pose a significant threat to these systems. Federal law designates CISA as the lead agency in helping critical infrastructure owners and operators address cyber risks to OT. The National Defense Authorization Act of Fiscal Year 2022 includes a provision for GAO to report on CISA's support for industrial control systems. Federal guidance now addresses these systems under the broader category of OT. Accordingly, this report examines, among other things: (1) challenges in delivering CISA's OT products and services, and (2) challenges to collaborating between CISA and the seven selected agencies. GAO reviewed documentation describing CISA's 13 OT cybersecurity products and services. GAO also asked officials from CISA and 13 selected nonfederal entities to identify any challenges with the OT products and services. The selected entities included (1) councils representing one sector and three subsectors where OT was prevalent and the intelligence community highlighted their infrastructures as being at risk from cyber threat actors, (2) OT vendors who joined a CISA OT collaboration group, and (3) cybersecurity researchers that contributed to the development of CISA's OT advisories. GAO then compared CISA's efforts to address those challenges against leading practices regarding measuring customer service and workforce planning. In addition, GAO reviewed documentation describing CISA’s efforts to collaborate with seven selected agencies to mitigate cyber OT risks. The seven selected agencies are: (1) Department of Defense’s (DOD) Defense Cyber Crime Center (DC3); (2) DOD’s National Security Agency (NSA); (3) Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER); (4) Department of Homeland Security’s (DHS) Transportation Security Administration (TSA); (5) DHS’s U.S. Coast Guard (USCG); (6) Department of Transportation’s (DOT) Federal Railroad Administration (FRA); and (7) DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA). GAO focused on these agencies or departmental components because each was (1) within agencies designated as the lead for helping to protect the selected sector and three subsectors and (2) responsible for helping critical infrastructure owners and operators to mitigate cyber OT risks. GAO also asked officials from seven selected agencies to identify any challenges in collaborating with CISA to mitigate cyber OT risks. GAO then compared documentation from the seven agencies and CISA against five selected leading collaboration practices.

Defense Contracting: DOD Should Encourage Greater Use of Existing Expertise to Review Indemnification Requests

What GAO Found When a contract involves unusually hazardous or nuclear risk, which insurers may decline to cover, the government may indemnify defense contractors. This indemnification financially protects contractors from liability arising from a catastrophic incident. Contractors report that it also incentivizes them to complete work that would otherwise be financially untenable, as an incident could exceed the limit of a contractor's commercial insurance policy. Financial Protection Provided by Commercial Insurance and Government Indemnification Type of financial protection Coverage provided Commercial insurance Coverage provided for claims involving covered contractor products, subject to the limit of the insurance policy Government indemnification Coverage provided for claims, losses, or damages that arise out of or result from a risk that the contract defines as unusually hazardous or nuclear, and is not compensated for by insurance or other meansa Source: GAO analysis of aviation insurance industry and defense contractor information. I GAO-24-106403aIndemnification coverage is limited in some circumstances. For example, contractors will not be indemnified against government claims against the contractor or for losses or damages affecting the contractor's property, if the claim, loss, or damage is caused by willful misconduct or lack of good faith on the part of certain contractor officials. Indemnification requests are infrequent and generally approved. The Department of Defense (DOD) components that GAO reviewed reported receiving only about 350 indemnification requests over the past 15 years. Components' processes for evaluating indemnification requests varied. GAO found that contracting officials at some components were unaware of or did not use a specialized insurance review team within the Defense Contract Management Agency (DCMA) to assist in their evaluations. Components that did use this team found the reviews helpful. Lack of knowledge and use of this expertise means components may be missing an opportunity to facilitate the review process . Defense contractors generally obtain coverage for their work from multiple multi-national insurers. Insurers develop a comprehensive risk profile on contractors to determine what coverage they will provide. According to industry representatives, world events and market volatility in recent years shrunk the insurance market and reduced coverage available to contractors. Insurer representatives that GAO interviewed stated that as a result, government indemnification is an increasingly important factor they consider when providing coverage to defense contractors. DOD experienced challenges negotiating indemnification requests related to weapons carried on Virginia class submarines. Those challenges were resolved, but officials could not estimate the impact of these negotiations due to pre-existing program delays. Additionally, while contractors have expressed concern about not defining unusually hazardous risk in regulation, DOD officials noted the importance of maintaining the flexibility to consider indemnification requests based on each component's unique mission profile. Why GAO Did This Study Recently, DOD has experienced challenges indemnifying—or providing financial protection to—contractors working on certain weapon systems. A congressional report expressed concern that DOD's application of indemnification laws and an increase in programs with unusually hazardous risks could affect DOD's ability to field advanced weapon systems. The report included a provision for GAO to report on DOD's indemnification of contractors against unusually hazardous risk. GAO's report examines (1) how DOD has indemnified risk related to contracts over the past 15 years and how it makes those decisions, (2) how defense contractors obtain insurance and the risk factors that influence insurance coverage decisions, and (3) what indemnification challenges, if any, DOD and contractors have experienced and may experience in the future. GAO analyzed available indemnification data from six selected DOD components—including the military departments, Missile Defense Agency, and Defense Logistics Agency—from 2008 through 2022; reviewed government-wide and DOD indemnification policies and regulations; and interviewed officials at DOD, five selected defense contractors, and four selected insurers.

Coast Guard: Action Needed to Evaluate Efforts to Address Sexual Assault and Harassment

What GAO Found The Coast Guard has taken action to address sexual assault and harassment but has not developed a plan to assess its efforts. In a 2020 internal investigation called “Operation Fouled Anchor,” the Coast Guard examined 102 separate allegations of sexual assault from 1990 to 2006 at the Coast Guard Academy and concluded that the academy often mishandled these cases. More recently, service members reported a total of 263 sexual harassment allegations between September 2020 through April 2023, according to Coast Guard data. After media reporting on Operation Fouled Anchor in June 2023, the Commandant directed a 90-day review of policy processes, practices, and service culture relevant to countering sexual assault and harassment in the Coast Guard. The resulting report identified areas for organizational improvement to ensure a culture of accountability and transparency. In November 2023, the Commandant directed the Coast Guard to implement 33 initial actions by certain dates to address the findings of the review and help ensure service members have an experience free from sexual assault and harassment (see figure). The actions span six categories, including training, the academy, and information and data. According to Coast Guard officials, they have completed five actions as of February 2024. Number of Coast Guard Planned Actions Each Month to Respond to Sexual Assault and Harassment and Selected Examples The Commandant-directed actions include administering a Coast Guard-wide survey and analyzing survey results. However, the service has not developed an evaluation plan to assess the results of its 33 initial actions. According to Coast Guard officials, they have had discussions about assessing the results of the actions but have not developed plans or mechanisms to do so because measuring culture change is difficult. However, these officials identified certain resources, such as employee surveys and Department of Defense officials, that could prove useful in this effort. Developing an evaluation plan and mechanisms for assessing the effectiveness of actions taken to improve its culture of accountability and transparency would better ensure that Coast Guard has the information it needs to evaluate whether the actions are helping service members have an experience free from sexual assault and harassment. Further, taking these steps would help ensure the service is improving its culture, which could assist in the recruitment and retention of its workforce. Why GAO Did This Study The Coast Guard is a maritime military service within the Department of Homeland Security that employs more than 55,000 personnel. Sexual assault and harassment have a negative effect on the victims, negatively affect retention, and disrupt mission readiness. This statement discusses the Coast Guard's recent efforts to address sexual assault and harassment. GAO analyzed Coast Guard documents, interviewed agency officials, and reviewed prior GAO reports on Department of Defense and Coast Guard efforts to prevent sexual assault and harassment. We also compared Coast Guard efforts to the Commandant instruction on internal controls as well as federal internal control standards.

Small Business Administration: Progress and Work Remaining to Implement Key Management Improvements

What GAO Found In response to the economic downturn caused by the COVID-19 pandemic, the Small Business Administration (SBA) quickly set up the Paycheck Protection Program (PPP), COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) program, and other relief programs. SBA also administers a Disaster Loan Program that helps small businesses and others recover after natural disasters. Since February 2020, GAO has made recommendations to improve SBA programs, including 23 key recommendations. SBA fully addressed 10 of the key recommendations, including the following: PPP oversight. Because SBA initially had limited safeguards, GAO recommended in June 2020 that it implement plans to respond to PPP risks, help ensure program integrity, and address potential fraud. In response, SBA developed a loan review process in December 2020. As of the end of fiscal year 2023, GAO estimated that SBA's use of additional safeguards in PPP and other COVID programs had resulted in more than $12 billion in savings. Assessment of fraud risks. SBA did not conduct a formal fraud risk assessment before implementing PPP or COVID-19 EIDL. In March 2021, GAO recommended that SBA conduct a formal assessment and develop a strategy to manage fraud risks for each program. SBA completed these steps in August 2023. SBA has not yet fully addressed 13 of these recommendations, including the following: Enhancing data analytics. In May 2023, GAO recommended that SBA identify data that could help verify applicant information and detect potential fraud. GAO also recommended that SBA develop cross-program data analytics that would better identify applicants who tried to defraud multiple programs. According to SBA, to begin addressing these recommendations, it has procured third-party services to help validate customer identity and has begun a comprehensive review of its data analytics. Addressing access barriers. GAO found in December 2021 that SBA's Disaster Loan Program and five other federal programs did not have key information for examining barriers to access and disparate recovery outcomes among various socioeconomic and demographic groups. GAO recommended SBA work with two other agencies to implement an interagency plan to address these equity issues. SBA officials said the agencies are in the process of developing such a plan. In addition, SBA's independent financial statement auditor has issued four consecutive disclaimers of opinion on SBA's consolidated financial statements since fiscal year 2020. SBA was unable to support a significant number of transactions and account balances related to PPP and COVID-19 EIDL. The auditor identified six material weaknesses in internal controls over financial accounting, including in controls for PPP and COVID-19 EIDL. GAO supports the auditor's recommendations to address these weaknesses and encourages SBA to develop and implement a corrective action plan to address them. Why GAO Did This Study Since spring 2020, SBA has administered four pandemic relief programs, including PPP and COVID-19 EIDL. PPP provides potentially forgivable loans to small businesses. COVID-19 EIDL provides low-interest loans of up to $2 million for operating and other expenses, as well as advances (grants). Concerns about SBA's implementation of PPP and COVID-19 EIDL led GAO to include emergency loans for small businesses on its High-Risk List in March 2021. SBA made or guaranteed more than $1 trillion in loans and grants and assisted more than 10 million small businesses through its relief programs. In addition, SBA has continued to make loans under its Disaster Loan Program. Among other things, this testimony focuses on the status of selected recommendations GAO has made to SBA on its pandemic relief and disaster loan programs, and on issues related to SBA's financial accounting. This testimony is based largely on the reports GAO issued since February 2020 containing the 23 key recommendations. For those reports, GAO reviewed SBA documentation, analyzed program data, and interviewed officials from SBA and other federal agencies. GAO also reviewed the opinions of SBA's independent financial statement auditor. For more information, contact Courtney LaFountain at (202) 512-8678 or lafountainc@gao.gov.

Bank Supervision: More Timely Escalation of Supervisory Action Needed

What GAO Found Risky business strategies and weak liquidity and risk management contributed to the failures of Silicon Valley Bank (SVB) and Signature Bank in March 2023. In both banks, rapid growth was an indicator of risk. From 2019 to 2021, the total assets of SVB and Signature Bank grew by 198 percent and 134 percent, respectively. This far exceeded growth for a group of 19 peer banks (33 percent, at the median). In addition, both banks had high percentages of uninsured deposits, which can be an unstable source of funding because customers with uninsured deposits may be more likely to withdraw their funds during times of stress. SVB also was affected by rising interest rates and Signature Bank had exposure to the digital assets industry. In the 5 years prior to 2023, the Board of Governors of the Federal Reserve System (Federal Reserve) and Federal Deposit Insurance Corporation (FDIC) identified concerns with SVB and Signature Bank. But both banks were slow to mitigate the problems the regulators identified and regulators did not escalate supervisory actions in time to prevent the failures. Federal Reserve and FDIC policies require staff to include specific information when communicating supervisory concerns to banks. GAO found that Federal Reserve and FDIC supervisory staff generally adhered to these requirements in communicating concerns to SVB and Signature Bank. Both regulators established internal procedures for when to escalate concerns to informal or formal enforcement actions. However, the Federal Reserve's procedures often were not clear or specific. The procedures often did not include measurable criteria for examiners to use when recommending informal or formal enforcement actions. This lack of specificity could have contributed to delays in taking more forceful action against SVB. Adopting clearer and more specific procedures could promote more timely enforcement action to address deteriorating conditions at banks in the future. In August 2023, FDIC updated its procedures for escalating supervisory concerns to require FDIC examiners to consider escalating supervisory concerns that are repeated or uncorrected at the end of an examination cycle. However, although the new guidance would have required examiners to consider escalation of Signature Bank concerns as early as 2019, it does not require escalation. As a result, it is unclear whether examiners would have escalated concerns to senior management on a timely basis. FDIC officials told us they intend to further update the procedures to expect examiners to require, instead of consider, escalation in these situations. Provisions in the Federal Deposit Insurance Act also help regulators determine when to escalate supervisory concerns. Section 38, also known as prompt corrective action, requires regulators to take increasingly severe actions as a bank's capital deteriorates. However, since the 1990s, GAO and others have reported that the effectiveness of the prompt corrective action framework is limited because it relies on capital measures, which can lag other indicators of bank health. The framework repeatedly has demonstrated weaknesses for addressing deteriorating financial conditions in banks and has not achieved a principal goal of preventing widespread losses to the Deposit Insurance Fund. Noncapital triggers (which could be based on factors such as interest rate risk, asset concentration, and poor management) can signal declining conditions before capital triggers do. Adopting noncapital triggers, such as by amending the Federal Deposit Insurance Act to incorporate such triggers, would encourage earlier action to address deteriorating conditions and also limit losses to the Deposit Insurance Fund by requiring early and forceful regulatory actions tied to unsafe banking practices before they impaired capital. Why GAO Did This Study The March 2023 failure of SVB and Signature Bank may cost the Deposit Insurance Fund an estimated $22.5 billion. The failures raised questions about the supervisory practices of the Federal Reserve and FDIC. GAO was asked to examine the regulators' communication and escalation of supervisory concerns in the years before the failures. This report examines the regulators' communication of supervisory concerns to the two banks, procedures for escalating such concerns, and whether adopting noncapital triggers could help regulators take more timely supervisory actions. GAO reviewed Federal Reserve and FDIC internal policies and procedures related to supervisory communication and escalation; analyzed supervisory documentation for SVB and Signature Bank; and spoke with staff from the Federal Reserve, Federal Reserve Bank of San Francisco, and FDIC.

Commercial Aviation Manufacturing: Supply Chain Challenges and Actions to Address Them

What GAO Found Orders for new commercial aircraft have rebounded since they declined in 2020. However, the two main manufacturers of commercial aircraft—Boeing and Airbus—have faced challenges in increasing production of their most popular models—the Boeing 737 and Airbus A320—to meet demand. Steps Boeing and FAA are taking to ensure safety after a January 2024 in-flight failure of a section of the fuselage have also affected Boeing's production levels early in 2024. Additionally, of the 15 companies GAO interviewed that supply components to Boeing and Airbus, nine said that they have likewise had difficulty filling orders with the rebound in demand following the COVID-19 pandemic. Estimated Number of Boeing 737 and Airbus A320 Aircraft Produced, 2013–2023 Manufacturers attributed these production challenges to workforce and material shortages and are working to mitigate them. Fifteen of the 17 manufacturers GAO spoke to said they or their suppliers have had difficulty hiring enough skilled workers to enable them to satisfy the demand for their products. Six manufacturers said that difficulty hiring sufficient workers may be related to difficult or hazardous working conditions that some of these jobs entail, such as the use of toxic chemicals. Some manufacturers reported offering financial incentives and working with local schools to build interest in aviation careers to address their workforce needs. Further, fifteen manufacturers said that they or their suppliers have had difficulty procuring materials needed to complete their orders. Material shortages included a broad range of items, such as engines and semiconductors as well as raw materials like aluminum. To address these material shortages, manufacturers said they have increased monitoring of suppliers and established additional sources for some supplies. Airlines reported making changes to scheduled flights and developing ways to safely extend the life of some parts, among other actions, due to the difficulty obtaining new aircraft or the parts needed to maintain their current fleet. Seven of the eight airlines GAO spoke with reported delays of new aircraft they had expected to receive in 2023, and all eight airlines said they have had trouble obtaining a broad range of parts needed to maintain their fleets. Parts in short supply included small hardware like nuts and bolts as well as specialized items like cockpit windows and engine components. Why GAO Did This Study Aviation manufacturing is a major economic driver in the United States, with the largest trade balance (exports minus imports) among all U.S. manufacturing sectors. A global network of manufacturers and suppliers provides the aircraft and components that airlines in the United States rely on to support their operations. Aircraft manufacturers and their suppliers have faced headwinds in recent years, including steep declines in orders for new aircraft and supply chain disruptions brought on by the COVID-19 pandemic in 2020. As airlines respond to the rebound in demand for air travel that began in 2021, aviation manufacturers' ability to provide new aircraft and parts is key to airlines' efforts to maintain and grow their operations. GAO was asked to examine challenges facing the aviation manufacturing supply chain. This report describes (1) what is known about demand for and production of new aircraft and parts since 2020, (2) factors affecting manufacturers' production of new aircraft and parts and actions to mitigate these factors, and (3) how airlines have been affected by the availability of new aircraft and parts to support their operations. GAO analyzed data on new aircraft orders and deliveries from Boeing and Airbus along with data on aircraft production from Aviation Week Network for 2013 through 2023. GAO interviewed a non-generalizable sample of 38 stakeholders—including manufacturers and airlines—who were selected to achieve a range of perspectives. For more information, contact Heather Krause at (202) 512-2834 or krauseh@gao.gov.

Human Capital: Characteristics and Administration of the Federal Wage System

What GAO Found The Federal Wage System (FWS) and General Schedule (GS) pay system cover about 192,455 federal blue-collar wage grade and 1.5 million federal white-collar GS employees as of 2023, respectively. Each pay system has its own separate laws, regulations, and policies that govern how it is to be administered. FWS employees receive an annual pay adjustment based on pay comparisons between FWS and private sector jobs in defined wage areas that require similar skills and responsibilities. Congressional actions have capped the FWS pay adjustments so they do not exceed the average GS pay adjustment since fiscal year 1979. This is due to budgetary concerns, according to Office of Personnel Management (OPM) officials. Since fiscal year 2004, congressional actions have required FWS employees to receive at least the same wage schedule adjustment in percentage terms that GS employees receive where they work. According to OPM and Department of Defense (DOD) officials, linking FWS pay adjustments to GS pay adjustments has resulted in FWS pay rates that are below or above prevailing (market) levels. Average Wage Schedule Rates Compared to Prevailing Wage Rates for Nonsupervisory Employees in Appropriated Fund (AF) Wage Areas for Fiscal Year 2023 Note: Employees in AF wage areas are generally funded from the Treasury. In some cases, data showed that the average wage rates were both above and below prevailing (or market) rates where there are multiple wage schedules associated with a single AF wage area. The process for administering the FWS includes: (1) establishing and combining wage areas, (2) conducting wage surveys, and (3) setting wage schedules. OPM defines wage areas based on geographic concentrations of FWS employees and private employment. Designated by OPM, DOD conducts annual surveys to collect data from private sector establishments within the wage areas and sets hourly pay rates for the wage schedules. Why GAO Did This Study The Prevailing Rate Systems Act of 1972 established the FWS for federal blue-collar employees who work in trade, craft, and labor. The act's underlying principles are to set pay rates for federal blue-collar workers in line with local prevailing (or market) rates and provide equal pay for substantially equal work. However, subsequent actions by Congress have limited the maximum pay adjustments granted to certain FWS employees, tying them to the average GS pay adjustment. The Joint Explanatory Statement for the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 includes a provision for GAO to review the administration of the FWS. This report describes (1) characteristics of the FWS and GS pay systems and how they compare, and (2) the process for administering the FWS. GAO reviewed legislation; OPM regulations, memorandums, guidance, and documentation; DOD guidance, data, and documentation; and Federal Prevailing Rate Advisory Committee reports. GAO also interviewed OPM and DOD officials and Federal Prevailing Rate Advisory Committee members (comprised of agency and labor management representatives) who provide input to OPM on defining wage areas. DOD and OPM provided technical comments on a draft of this report, which GAO incorporated as appropriate. For more information, contact Yvonne D. Jones at (202) 512-6806 or jonesy@gao.gov.

Child Care: Selected States Are Taking Steps to Sustain Program Changes Implemented with COVID-19 Funding

What GAO Found In all five selected states, child care officials reported using supplemental funding to make investments and program changes to address preexisting challenges facing families and child care providers. Preexisting challenges included the affordability and availability of child care for families, and financial viability and staffing for child care providers. These state officials reported making one-time investments, such as updating technology systems and creating targeted grants that could have long-term positive impacts (see figure). They also changed their Child Care and Development Fund (CCDF) programs to enhance families' access to child care and improve providers' financial viability. For families, they expanded eligibility for subsidies and lowered family co-pays. For providers, they focused on payment rates, compensation, workforce development, and quality improvement. States planned to use various strategies to sustain program changes that were made using supplemental funding, such as establishing a new state trust fund or increasing state child care budgets. State officials said that their ability to secure ongoing funding would affect their ability to maintain certain program changes. Example of New York State (NYS) Child Care Grant Opportunity Notice The Department of Health and Human Services' Office of Child Care supported states' efforts to address challenges for families and providers with supplemental funding by encouraging specific uses for funds and offering technical assistance. After COVID-19 relief laws were enacted, the agency published guidance that encouraged states to make CCDF program changes. These included increasing provider payment rates based on new cost modelling and increasing family income eligibility limits. The Office of Child Care also provided technical assistance to help states explore options to enhance their CCDF programs and continues to support states' efforts to determine which of their recent program changes can be sustained beyond the expiration of the supplemental funding. For example, it has helped states develop strategic plans, facilitated opportunities for states to learn from their peers, and referred states to its technical assistance partners for specialized assistance. Why GAO Did This Study The COVID-19 pandemic caused significant disruptions to the country's child care sector, exacerbating preexisting challenges for families and providers. In response, in fiscal years 2020–2021 Congress appropriated more than $52 billion in supplemental funding to CCDF, which supports states' efforts to assist low-income working families with obtaining child care. The remaining funds must be expended by September 30, 2024. House Appropriations Committee Report No. 117-96 includes a provision for GAO to study the state use of COVID-19 relief funding for long-term strategies to improve and support the child care sector. This report examines (1) how selected states used supplemental funding to implement long-term strategies that help address preexisting challenges for families and providers, and (2) how OCC supported states' efforts to address challenges for families and providers using pandemic-related funds. GAO interviewed CCDF administrators from five states (Michigan, Nevada, New Mexico, New York, and Tennessee) about their experiences implementing long-term program changes with COVID-19 funds and the support they received from the Office of Child Care. GAO selected states to represent diversity in child care funding amounts and geographic region. The information from the states is not generalizable, but provides perspectives. GAO also interviewed agency officials and organizations knowledgeable of child care issues; and reviewed related reports, literature, federal laws and regulations, and Office of Child Care guidance. For more information, contact Kathy A. Larin at (202) 512-7215 or larink@gao.gov.

Federal Real Property: More Consistent Monitoring of Asbestos Could Improve Oversight

What GAO Found The General Services Administration (GSA) may be legally responsible for the cleanup of environmental contaminants on federal properties it manages before it disposes of those properties via sale or other means. GSA annually reports its environmental liabilities across three categories: asbestos, non-asbestos (e.g., lead paint), and hazardous releases (e.g., petroleum). GSA uses a formula to estimate the costs to address asbestos and non-asbestos contamination, which together account for 95 percent of its annually reported liabilities. GSA bases its liability estimates for hazardous releases on site-specific information gathered by GSA's regional environmental managers. GSA's estimated environmental liabilities were largely stable between fiscal years 2018 and 2022, ranging from $1.8 to $2.0 billion. GSA manages asbestos and non-asbestos contamination in place—as these materials pose little health risk when not damaged or disturbed—and GSA officials said they take immediate action on hazardous releases. To manage asbestos in place, GSA policy requires buildings that could contain asbestos materials be inspected every 5 years. However, according to GSA data, approximately two-thirds of buildings (638 of 955) were out of compliance with this inspection policy. Buildings out of compliance include hundreds in which GSA has not conducted an inspection in more than a decade or does not know when the most recent inspection occurred. Buildings Out of Compliance with General Services Administration's 5-Year Asbestos Inspection Policy, as of September 2023 GSA officials provided several reasons these buildings are out of compliance with GSA's asbestos inspection policy, including funding and staffing challenges, incomplete records, and limitations with the database used to track asbestos inspections. GSA officials said they are developing a comprehensive plan for completing required inspections and considering changes to the asbestos policy to follow a more risk-based approach. These officials said they have not yet identified specifics of this plan, including timelines for completing required inspections or for modifying the policy. As a result, GSA does not have key data needed to monitor asbestos and protect health and safety. Why GAO Did This Study GSA's cleanup of environmental liabilities on federal properties represents a fiscal exposure for the federal government. The federal government's growing environmental liabilities and federal real property management are on GAO's High-Risk list, partly due to these challenges. GAO was asked to review how GSA estimates and manages its environmental liabilities. This report examines, among other objectives: (1) how GSA estimates environmental liabilities and (2) how GSA manages environmental contaminants and the extent to which GSA follows its asbestos management policy. GAO reviewed GSA's asbestos management policy, annual financial reports, cost estimation formulas, budget and expenditure information, real property data, and conducted three site visits. GAO also interviewed GSA officials, contractors, and subject matter experts.

Federal Student Loans: Education Should Enhance Reporting on Direct Loan Performance and Risk

What GAO Found The Department of Education is designing and testing a new model to estimate future costs of the William D. Ford Federal Direct Loan (Direct Loan) program, which provides financial assistance to students and their parents for postsecondary education. Education aims to begin using the model with the President's fiscal year 2028 budget. Education officials said the new model is being designed to better reflect the complexity of both borrower behavior and the Direct Loan program. Decisions about data, analytical design, technology, and staffing will influence the model's long-term operation and the quality of future cost estimates. Education is required to develop cost estimates for the President's budget in accordance with the Federal Credit Reform Act of 1990 (FCRA). FCRA reflects Education's borrowing from the Department of the Treasury to finance lending. GAO compared FCRA with three federal and private sector alternative approaches that could be used to develop cost estimates. These approaches were the Congressional Budget Office fair value (federal), Financial Accounting Standards Board (FASB) Current Expected Credit Losses (private sector), and FASB fair value (private sector). These four approaches do not affect the eventual budgetary costs over time but do result in different initial cost estimates. Estimated initial costs under the non-FCRA approaches will generally be higher than what is initially estimated under FCRA due to a variety of factors, such as the addition of market risk and other risks. Regardless of the approach used, how well an agency is able to predict future cash flows is fundamental to calculating reliable cost estimates. Illustration of Overall Budgetary Cost Estimates for a Group of Direct Loans Converging over Time as Costs are Updated Note: The graphic assumes that actual cash flows will equal estimated cash flows over time. Education publishes information about the Direct Loan program's performance and risks that is generally consistent with guidance, but there are areas where the department could enhance its reporting by expanding the sensitivity analysis to cover a wider range of economic circumstances. Such information is particularly important given the size and complexity of the Direct Loan program. Why GAO Did This Study Over the last 3 decades, the Direct Loan program has grown in size and complexity, with over $1.3 trillion in outstanding loans as of September 2023. This program provides financial assistance to help students and their parents pay for postsecondary education. GAO was asked to review issues related to Education's Direct Loan program cost estimates. This report examines (1) the status of Education's planned model for estimating Direct Loan costs; (2) how certain federal and private sector estimation approaches would affect Direct Loan budgetary costs over time; and (3) the extent to which Education provides key information about the performance and risks of the Direct Loan program. GAO reviewed documentation on Education's current student loan model and plans for its new model. GAO analyzed the potential budgetary impact over time of four approaches for estimating the cost of a selected group of loans. GAO identified relevant reports, reviewed reporting guidance for federal loan programs, and interviewed officials from Education, other agency officials, and stakeholders with relevant expertise.

Science & Tech Spotlight: Wearable Technologies in the Workplace

Why This Matters In 2022, the warehousing, manufacturing, and construction industries experienced over 700,000 nonfatal injuries and over 2,000 fatal accidents. Meanwhile, consumer demand on these industries grows, creating pressure for increased productivity. To enhance and monitor worker safety and productivity, companies have begun deploying wearable technologies, from ergonomic sensors to exoskeletons. Key Takeaways Recent innovations in sensor and networking technologies have increased the feasibility of and interest in the use of wearables in the workplace. Companies have already deployed some wearables, but there are limited published data on the efficacy of these technologies to increase safety in the workplace. Concerns about data privacy, cost, and ease of use may hinder widespread workplace adoption of wearables. The Technology What is it? Wearable technologies, or wearables, are devices worn on the body and can vary in size, shape, and function. Some employers have an increasing interest in using wearables to improve worker safety and productivity. Industrial uses fall into four general categories: (1) supporting devices physically assist workers with tasks like lifting (e.g., exoskeletons and powered gloves); (2) monitoring devices alert workers to specific changes in vital signs or the workplace environment (e.g., smart helmets); (3) training devices provide feedback on movements (e.g., ergonomic sensors) or help improve worker performance (e.g., augmented reality (AR) glasses); and (4) tracking devices observe the location of employees on a worksite (e.g., GPS trackers). See figure 1 for examples. Figure 1. Illustration of some wearable technologies of interest to modern industrial workplaces. How does it work? The way wearables work depends on the type of technology. Supporting devices like exoskeletons or powered gloves provide physicalsupport to the user’s shoulders, hands, or back during repetitive overhead work, gripping, or lifting. Most monitoring, training, and tracking technologies take advantage of innovations in networking by connecting many types of sensors to collect, exchange, and analyze data—sometimes referred to as the industrial internet of things (IIOT). Smart helmets, for example,incorporate physiological and environmental sensors and GPS trackers into protective headgear. These sensors can alert employees and workplace medical teams to accidents, such as falls, and to potential hazards, like heat and humidity. Similarly, ergonomic sensors, worn on the hip, back, or arm, can alert a user when they perform potentially unsafe movements (e.g., lifting with improper form). Through real-time alerts and movement data analytics, these sensors may help train workers and reduce injuries. How mature is it? Advancements in sensors, data analytics, and networking technologies have increased the feasibility of wearables, although their maturity varies. Several companies use exoskeletons or ergonomic sensors to some extent. Other wearables, such as smart helmets, have had pilot studies but still need further testing. Battery life and accuracy of underlying location tracking technologies pose challenges for scale-up. Recent studies have drawn limited conclusions in assessing the net effect of wearables on employee health and productivity. For example, one peer reviewed study showed that ergonomic sensors may reduce time in risky postures, but the study had limitations including a small sample size and short duration. A different review of wearables points out that the pressure of being constantly monitored can lead to increased stress in some workers and, consequently, increased probability of injury. Opportunities Improve employee safety. Wearables could reduce the risk of injuries from strenuous work or worker-equipment collisions and may improve response time to emergencies. Increase employee productivity. Some companies have used AR glasses to aid repair technicians or to reduce error rates when item picking to fill orders. Challenges Privacy. Monitoring devices can store data on employee physiology and movements, which may create privacy concerns. For example, employees surveyed as a part of a wearable pilot test cited concerns about being tracked.; Data Security. Data stored on wearables may be vulnerable to hackers because updating software can be difficult and many devices lack strong encryptions. Cost. Companies can face high up-front costs to acquire and deploy wearables. Ease of use. Employees may find some technologies cumbersome, complex, or uncomfortable to use. For example, one study cited employee concerns about the additional weight of the wearable. Policy Context and Questions The National Institute for Occupational Safety and Health (NIOSH) conducts and coordinates research on wearables. Officials from the Occupational Safety and Health Administration (OSHA) told us that the agency oversees workplace safety but does not have any specific standards related to wearables. What types of additional studies would determine whether wearables achieve benefits such as improving employee safety? What is the federal role, if any, in overseeing these technologies and their use in the workplace? What safeguards or standards, if any, could help ensure that the development and adoption of wearables achieves positive outcomes and responds to employee concerns? Selected GAO Work Workplace Safety and Health: Actions Needed to Improve Reporting of Summary Injury and Illness Data, GAO-21-122. Internet of Things: Status and implications of an increasingly connected world, GAO-17-75. Selected References "Wearable Technologies" NIOSH Science Blog, https://blogs.cdc.gov/niosh-science-blog/category/wearable-technologies/. Accessed January 29, 2024. Ekaterina Svertoka, et al., “Wearables for Industrial Work Safety: A Survey,” Sensors,vol. 21 (2021) doi:10.3390/s21113844. For more information, contact Karen L. Howard, PhD at (202) 512-6888 or howardk@gao.gov.

Special Operations Forces: Documented Policies and Workforce Planning Needed to Strengthen Civilian Oversight

What GAO Found Since 2019, the Department of Defense (DOD) has increased the Assistant Secretary of Defense for Special Operations and Low-Intensity Conflict's (ASD-SO/LIC) oversight responsibilities for U.S. Special Operations Command (SOCOM). DOD has also increased resources for the Secretariat for Special Operations, which assists the ASD-SO/LIC in conducting oversight. However, as of September 2023, the Secretariat's staffing levels remained below the 80–94 full-time equivalent levels the Secretariat identified as required to oversee SOCOM. Comparison of Secretariat Staffing Levels with Required Levels, as of September 2023 Note: Per the 2022 staffing assessment, the expanded requirement includes a 20-percent adjustment for unanticipated workload and staff availability (e.g., leave and training) for some functions. In November 2023, the Secretariat finalized a staffing plan required by statute, including milestones to reach 69 full-time equivalents by early 2024. However, the finalized plan does not fully incorporate some key principles for strategic workforce planning, such as aligning with long-term goals, identifying critical skill gaps, and developing strategies to address them. Developing a staffing plan that incorporates these principles would help ensure that the Secretariat hires the personnel required to meet its future needs for overseeing SOCOM. Section 922 of the National Defense Authorization Act for Fiscal Year 2017 strengthened the ASD-SO/LIC's service secretary-like role for overseeing SOCOM's activities. The Secretariat developed 57 benchmarks for implementing section 922 and reported completing 49 of them as of January 2023. However, according to officials, the respective work process policies for the Secretariat and SOCOM are not always documented for two reasons. First DOD's Office of the Director of Administration and Management has concerns about ASD-SO/LIC's authority to issue guidance. However, the ASD-SO/LIC has broad statutory and regulatory authority under its charter to establish DOD-wide policy. Second, the Secretariat does not have a systematic approach for identifying and documenting its oversight policies. Implementing a systematic approach for documenting policies would help ensure consistent oversight. The Secretariat has at times had limited input into how its hiring, office space, and IT needs are met because of confusion about ASD-SO/LIC's administrative role, given ASD-SO/LIC's unique position within DOD. Until the ASD-SOLIC and the Under Secretary of Defense for Policy clarify that administrative role, the Secretariat will continue to have limited input into its administrative services—affecting its ability to effectively oversee SOCOM. Why GAO Did This Study Congress established the ASD-SO/LIC in 1986 to oversee SOCOM's special operations activities. Section 922 of the National Defense Authorization Act for Fiscal Year 2017 strengthened the ASD-SO/LIC's service secretary-like role in overseeing SOCOM's activities, such as budgeting and programming. Senate Report 117-130 includes a provision for GAO to review DOD's implementation of section 922. GAO examined the extent to which the Secretariat for Special Operations has (1) hired the staff needed to oversee SOCOM, (2) reported on its implementation of section 922 reforms and documented its oversight policies, and (3) faced challenges related to obtaining administrative support services. GAO analyzed fiscal years 2019–2023 Secretariat staffing levels. GAO also compared the Secretariat's staffing plan with strategic workforce planning principles, and ASD-SO/LIC's policies and practices with leading principles for interagency collaboration.

DOD Reviews and Responses to GAO Reports: Second Semiannual Report Examining Delays

What GAO Found The Department of Defense (DOD) submitted 55 percent of its agency comments and almost 70 percent of its sensitivity reviews to GAO after the deadline. DOD conducted two security reviews, and both were submitted late. In comparing the results of GAO's analysis of DOD's performance during this period of review with those in the first semiannual report on this topic, DOD was less timely in providing both agency comments and sensitivity/security reviews. GAO provides audited agencies with an opportunity to review and comment on draft reports before GAO issues the final report. Additionally, for any reports that may contain controlled unclassified or classified information, GAO requests that the department complete a review for such information and communicate the results of the review in writing. DOD provided GAO comments on 76 reports from May 16, 2023, to November 11, 2023. While GAO generally provides DOD with 30 days for agency comment, DOD took 35 days, on average. Of the 76 reports, DOD submitted comments for 42 after the 30-day deadline and took an additional 16 days, on average, to submit agency comments on those reports. For one report, DOD took 98 days to provide its comments. DOD completed 28 reviews—26 sensitivity and 2 security reviews—during the same period. Sensitivity reviews are conducted to identify sensitive information, such as controlled unclassified information. Reviews for classified information, such as information designated as Secret or Top Secret, are generally referred to as security reviews. On average, DOD completed sensitivity reviews in 40 days and security reviews in 77 days—exceeding the 30-day deadline. Of the 34 reports for which GAO granted an extension to the deadline for submitting comments or reviews, DOD did not meet the extension for ten. DOD also submitted comments late for eight additional reports without requesting extensions. Why GAO Did This Study Delays in DOD submitting agency comments or the sensitivity/security reviews result in GAO issuing products later than mandated or requested by Congress. In some cases, delays may result in GAO taking the unusual step of issuing reports without DOD comments in order to provide Congress with requested information. The James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 included a provision for GAO to report every 6 months over a 2-year period on the extent to which DOD submitted agency comments and sensitivity or security reviews in a timely manner and in accordance with GAO protocols. This report is the second in a series of four reports on this topic. For more information, contact Alissa Czyz at (202) 512-3058 or czyzA@gao.gov.

Biomedical Research: Actions Needed to Adopt Collaboration Practices to Address Research Duplication

What GAO Found The Department of Health and Human Services (HHS) has long invested in biomedical research. Within HHS, among others, the Advanced Research Projects Agency for Health (ARPA-H), the National Institutes of Health (NIH), the Biomedical Advanced Research and Development Authority (BARDA), and the Food and Drug Administration (FDA) fund or conduct biomedical research. Each of these four HHS agencies' research activities have the potential for duplication when funding research in common areas. GAO found the four selected HHS agencies use multiple practices intended to help avoid unnecessary research duplication. These include reviewing project and funding information provided by applicants, consulting with experts and other agencies, and using databases to identify potentially overlapping research (see figure). When evaluating instances of research duplication, agency staff also distinguish between necessary and unnecessary duplication. GAO previously reported that some research duplication is necessary to confirm results or otherwise advance a project or field, whereas unnecessary duplication is research not needed to replicate or complement prior results. Example of HHS Agencies' Practices to Avoid Unnecessary Research Duplication In 2022, Congress directed the ARPA-H Director to, among other things, coordinate with other federal departments and agencies to ensure that ARPA-H's research is free of unnecessary duplication and established the ARPA-H Interagency Advisory Committee of eight federal agencies to coordinate efforts, among other functions. Such coordination can be a means for ARPA-H and committee member agencies to share information on their research activities and help ARPA-H avoid unnecessary duplication. ARPA-H officials told GAO that the committee will serve as a forum to identify and address potential research duplication between ARPA-H and these agencies. However, the Committee's draft charter does not mention how the members would collaborate to help ARPA-H identify and avoid funding research duplication. Leading practices for interagency collaboration include identifying shared goals and having documented agreements regarding the collaboration. By finalizing the charter to include members' agreement on collaboration methods to avoid ARPA-H funding unnecessary duplication, ARPA-H will be better positioned to improve the future return on the nation's investment in transformational health research. Why GAO Did This Study HHS's mission is to enhance the health and well-being of all Americans by, among other things, fostering sound, sustained advances in the sciences. HHS's longstanding agencies—NIH, BARDA, FDA—as well as its newest agency, ARPA-H, fund biomedical research. The Consolidated Appropriations Act, 2023, includes a provision for GAO to issue a series of reports on potential duplication in HHS's biomedical research and development portfolio. To manage the scope and reporting timeline, this first report focuses on ARPA-H, BARDA, FDA, and NIH as specified in the Act. It (1) describes practices used by the selected HHS agencies to identify and avoid unnecessary research duplication and (2) examines ARPA-H's collaboration and efforts to establish an interagency advisory committee as a potential means to prevent unnecessary research duplication. To conduct this work, GAO reviewed agency information, and legislation, among other documents. GAO also interviewed agency officials and a non-generalizable selection of non-federal experts in biomedical research.

International Military Students: DOD and State Should Assess Vetting Implementation and Strengthen Information Sharing

What GAO Found Starting in fiscal year 2020, DOD developed and phased in procedures to vet international military students attending training at Department of Defense (DOD) installations and facilities in the U.S. With few exceptions, DOD vets these students prior to travel to the U.S. for training and periodically during the students' stay. According to training management system data, from October 1, 2019, through March 31, 2023, DOD vetted over 29,000 cases, including students and any accompanying family members. DOD identified findings in 103 cases: four were classified as “high” risk, 18 were “moderate”, and 81 were “low.” DOD denied access to nine students for various security-related reasons. International Military Student Cases by Risk Level and Adjudication Result for October 1, 2019, through March 31, 2023 Risk level Cases Approved for training Denied Pending Adjudication not performeda High risk 4 0 4 0 0 Moderate risk 18 7 3 4 4 Low risk 81 47 2 14 18 No findings 29,202 29,202 0 0 0 Total 29,305 29,256 9 18 22 Source: GAO analysis of data from the Defense Security Cooperation Agency. | GAO-24-106421 Note: Vetting of international military students began with basic screening in December 2019 and DOD continued to phase in initial security vetting through March 2022. aDepartment of Defense (DOD) officials stated they did not adjudicate 22 of the moderate and low risk cases for reasons such as training cancellation or the student completed training during the establishment of vetting procedures and has since departed the U.S. DOD has taken some steps to improve implementation of vetting procedures for international military students. However, DOD has not assessed implementation to identify opportunities for improvement. For example, stakeholders told GAO of factors in vetting implementation that could be improved, such as limitations with in-country data collection and a time-consuming process for sharing information between stakeholders. DOD circulated a draft progress report on program metrics, such as the number of students who underwent vetting for fiscal year 2022. However, DOD has not finalized the report, and it is unclear if it will include an assessment of any opportunities for improvement in the vetting procedures. Without an assessment, DOD will not have a full understanding of factors that hinder vetting implementation. DOD also cannot determine whether or how it should take action to improve vetting implementation. The Department of State and DOD share information to support international military student vetting in a variety of ways, such as sharing database access and confirming vetting. However, State and DOD have not ensured that roles and responsibilities are fully clarified in guidance or written agreements. If DOD and State take actions to clarify roles and responsibilities for sharing information on issues related to international military students, the agencies can better coordinate on program management, including communicating relevant policy updates and sharing additional data and analysis regarding vetting. Why GAO Did This Study DOD provides education and training to foreign military personnel at DOD sites. On December 6, 2019, an international military student killed three U.S. service members and injured eight others while attending training at Naval Air Station Pensacola, Florida. The attack raised questions about personnel safety at DOD sites hosting students for training. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to review DOD's implementation of security vetting for international military students and accompanying family members. GAO's report assesses the extent to which (1) DOD has developed vetting procedures for international military students and addressed any implementation challenges; and (2) State and DOD have shared information related to students' training at DOD sites in the U.S. GAO reviewed documentation; analyzed vetting result data for October 1, 2019, through March 31, 2023; and interviewed DOD and State officials and stakeholders from six unified combatant commands and three U.S. embassies.

VA Health Care: Organization of the Office of Mental Health and Suicide Prevention

What GAO Found The Department of Veterans Affairs (VA) bases its approach for suicide prevention on its 2018 National Strategy for Preventing Veteran Suicide. This strategy outlines a comprehensive public health approach to suicide prevention that includes a combination of (1) clinically-based interventions, such as suicide risk screening for individual patients, and (2) community-based programs and services, such as programs to promote firearm safety to the public to reduce the risk of suicide by firearms. In 2017, the Veterans Health Administration (VHA) organizationally combined the Office of Suicide Prevention and the Veterans Crisis Line——which GAO refers to collectively as suicide prevention programs—with mental health policy and operations in its newly created Office of Mental Health and Suicide Prevention (OMHSP). VHA stated that it created OMHSP to ensure oversight and management of evidence-based strategies within VHA and the community related to identifying veterans with mental health care needs, identifying veterans in crisis, and decreasing the rate of veteran suicide. OMHSP leadership officials identified benefits and challenges related to the placement of suicide prevention programs within OMHSP. For example, OMHSP's leadership officials reported that including suicide prevention and mental health within the same office facilitated internal coordination, which was beneficial when implementing new legislation that targeted suicide prevention and mental health issues. However, Suicide Prevention Branch officials reported challenges related to the office's public health suicide prevention efforts. For example, officials said their placement within OMHSP has given them less autonomy with decision-making, such as decisions about suicide prevention initiatives, which require multiple levels of approval. In July 2023, VHA approved a number of changes to its organizational structure that include moving both the Suicide Prevention Program and Veterans Crisis Line out of OMHSP into a separate program office within VHA's Office for Clinical Services. VHA conducted an assessment to determine the best placement for these programs. VHA's assessment and officials GAO spoke with identified several benefits and challenges related to this organizational change. The benefits included the importance of having the Suicide Prevention Office in a more elevated position within Clinical Services given its priority within the department and its need to coordinate across multiple VHA offices. The challenges included that keeping suicide prevention within the Office for Clinical Services could give the impression that suicide prevention is solely a clinical issue. VHA documents indicate that it plans to implement this change in 2024. As VHA implements these organizational changes, it will be important for it to determine whether this structure achieves the benefits it has anticipated and addresses anticipated, as well as any unanticipated, challenges or risks. Why GAO Did This Study Suicide is a persistent public health problem facing all populations, but particularly veterans. Veterans suffer a disproportionately higher rate of suicide compared to non-veterans. An average of almost 18 veterans died by suicide each day in 2021—a rate about 72 percent higher than the general adult population. VA reported that about 62 percent of the veterans who died by suicide in 2021 had not obtained recent health care through VHA. VHA works to build networks of support, communication, and health care across communities in which veterans live and work to help prevent deaths by suicide of veterans who do not obtain care through VA' health system. Suicide prevention is VA's stated top clinical priority. VHA's suicide prevention programs have the lead responsibility for overseeing and implementing the department's suicide prevention initiatives. Among its responsibilities, the Suicide Prevention Program helps implement VA's National Strategy. VHA's Crisis Hotline is a national toll-free number that supports veterans in emotional crisis. Since establishing these programs in 2007, VHA has moved their organizational placement within various program offices at its national headquarters, also referred to as the central office, multiple times. In May 2017, both suicide prevention programs were placed alongside VHA's mental health programs within the newly established OMHSP. However, in July 2023, VHA approved a number of changes to its organizational structure, including changes to the placement of these suicide prevention programs. GAO conducted its review of VA's management of its mental health and suicide prevention services, including OMHSP's organizational structure, pursuant to law. This report answers key questions related to the organization of OMHSP and its suicide prevention programs. For more information, contact Alyssa M. Hundrup at (202) 512-7114 or hundrupa@gao.gov.

Nuclear Weapons: Information on the National Nuclear Security Administration's Research Plan for Plutonium and Pit Aging

What GAO Found This report provides an unclassified summary of GAO's classified briefing to the House of Representatives' Committee on Armed Services. In 2021, the National Nuclear Security Administration (NNSA) developed a 10-year research program plan to study plutonium and pit aging. According to NNSA officials, the results from the research plan will allow NNSA to more confidently predict pit lifetimes for each nuclear weapon system in the U.S. stockpile. To do so, NNSA requires the use of experimental facilities across the nuclear security enterprise. NNSA will also need to expand its inventory of samples of artificially aged plutonium so that aging effects can be projected decades into the future. NNSA's estimated budgetary requirements to carry out the planned experiments, modeling, and simulation activities total about $1 billion over the 10-year period of fiscal years 2021 through 2030. Why GAO Did This Study NNSA is responsible for ensuring the stockpile's performance, safety, and reliability. Scientists and other weapons experts have identified concerns that radioactive decay of plutonium in a pit, called aging, over many years may degrade a weapon's performance. Prior to 2021, independent evaluations indicated that NNSA was not sufficiently prioritizing plutonium and pit aging research. The results of this research are needed to inform decisions about stockpile management and modernization. For more information, contact Allison Bawden at (202) 512-3841 or bawdena@gao.gov.

Pages