What GAO Found In March 2022, the Department of Transportation (DOT) announced over $1 billion available for award under its National Infrastructure Project Assistance (Mega) discretionary grant program. Mega provides grants on a competitive basis to support large, complex transportation projects. Of the 259 Mega applications received for fiscal year 2022, DOT advanced 128 for award consideration. Most of these applications were submitted by state governments. Approximately 70 percent of the applications requested a total of $18.1 billion for highway or bridge projects, and the remaining applications requested a total of approximately $10 billion primarily for intermodal, intercity passenger rail, or transit projects. The Secretary of Transportation selected nine applications for award. Locations of Projects That Received National Infrastructure Project Assistance (Mega) Program Awards, Fiscal Year 2022 GAO found that DOT's selection process for the Mega program generally aligned with specified DOT guidance and federal regulations for discretionary grant programs. For example, DOT followed up with applicants to obtain additional information as outlined in its evaluation guidelines. However, DOT did not fully document the rationale for key decisions, as required by DOT guidance. Specifically, DOT did not document how it determined some projects were “exemplary,” a designation that applications are highly recommended. According to DOT officials, “exemplary” means standing out among peers as a model. Yet, DOT's documentation only stated that applications deemed “exemplary” were strong in a particular area and did not explain what distinguished them from other applications. DOT officials stated that they believed DOT had documented its determinations and explained how they related to the program criteria. GAO previously recommended that DOT more fully document key decisions for other DOT discretionary grant programs and clearly define how a project may qualify as exemplary. By implementing these recommendations, DOT can improve the transparency of the selection process for the Mega program. Why GAO Did This Study The Mega program provides funding for large, complex projects that are difficult to fund by other means and likely to generate national or regional economic, mobility, or safety benefits. Mega projects include highways, bridges, intercity passenger rail, and transit. DOT awarded $1.2 billion in fiscal year 2022 funding to nine Mega applications. The Infrastructure Investment and Jobs Act includes a provision for GAO to examine DOT's process for selecting Mega projects for award. This report discusses (1) the characteristics of Mega applications, and (2) the extent to which DOT's selection process aligned with specified DOT guidance and federal regulations for grants management. GAO reviewed DOT's Notice of Funding Opportunity, evaluation guidelines, and documentation of the Mega selection process for fiscal year 2022; analyzed application and award data; and interviewed DOT officials. GAO also compared DOT's selection process with DOT guidance and federal regulations for discretionary grant programs.

What Participants Said Digital technology presents opportunities for greater access and customization of financial education and products for consumers but may pose risks as well. Participants highlighted the following themes during the forum: Digital products can generally increase access to financial services. Low-income and minority consumers that may have different cultural norms around finances and banking may benefit from the increased flexibility offered by digital products and services. Participants also noted that digital investment platforms tend to attract younger consumers, who see new opportunities for wealth-building previously seen as out of reach. However, limited access to broadband may hinder accessibility for some consumers.   Digital products and services offer consumers improved experiences but also pose risks. These products and services enable personalized support, such as through advisers powered by artificial intelligence, to inform decision-making specific to a consumer’s financial situation. However, the ease and convenience of digital transactions can lead to risky behavior, such as investment in crypto assets. Additionally, participants said consumers face increased risks of fraud and scams, including phishing and unauthorized sharing of personal information. Consumers face challenges navigating the digital financial landscape. Consumers need both technical skills and traditional financial knowledge to make informed decisions about digital financial services—for example, to detect biased marketing and to avoid scams. Reliable financial information, such as information offered through government sources, is available online but is often underused. Participants noted that many financial technology (fintech) companies offering digital products and services are lightly regulated and consumer protections are limited. Digital technology expands options for financial education. It allows for more cost-effective and scalable financial education initiatives using digital channels. Digital technology also creates opportunities for just-in-time education personalized for the consumer. Digital platforms offer diverse formats, such as podcasts and infographics, and can include game-like features like achievement badges, all of which can enhance engagement with educational materials. However, the quality of digital financial education sources can vary, participants noted, ranging from social media influencers to trusted government resources. Traditional schools, a trusted source for education, can also help build financial literacy and related skills. More research is needed. Participants agreed that to understand the effects of digital products on consumers, further evaluation of their use and outcomes is essential. However, researchers can face challenges collecting and analyzing data controlled by private companies. Data-sharing agreements between researchers and service providers can mitigate these challenges. Partnerships between the public and private sectors that allow for data sharing and monitoring could also improve efforts to evaluate products. Why GAO Convened This Forum Americans face various challenges in achieving and maintaining financial security, especially as digital products and information become more prevalent. The growth of these digital financial services, such as peer-to-peer payment methods, has significantly affected consumers’ financial choices, opportunities, and risks. These developments also underscore the need for digital financial literacy—that is, the knowledge, skills, and abilities to safely use digitally delivered products and services to make informed financial decisions. On June 12, 2024, GAO convened a group of experts and stakeholders for a forum on how consumers’ financial literacy has been affected by the increased digital offering of products, services, and education. The participants discussed opportunities and risks of digital financial services,financial services, key skills for navigating the digital financial landscape, and digital delivery of financial literacy education. Participants were selected to represent a range of experience and viewpoints. Participants included 15 experts and stakeholders from the private sector, federal government agencies, nonprofit organizations, and academic institutions. Participants reviewed a draft of this summary. Their comments were incorporated as appropriate. Views expressed during the proceedings do not necessarily represent the opinions of all participants, their affiliated organizations, or GAO. For more information, contact at (202) 512-8678 or cackleya@gao.gov or Tranchau (Kris) T. Nguyen, (202) 512-7215 or nguyentt@gao.gov.

What GAO Found In 2023, the Small Business Administration (SBA) started the Unified Certification Platform project. This project is intended to allow small businesses to more efficiently apply for and maintain certifications to SBA's contracting assistance programs, compared to legacy certification systems. SBA originally anticipated deploying the system in September 2024. In June 2024, SBA announced a pause, effective August 1, 2024, in accepting new applications for certification. GAO expressed concerns regarding the agency's pause in accepting new applications until the certification system is deployed. GAO also noted that SBA triggered questions about risks and available mitigation strategies if full deployment did not occur in September or if there were system performance issues after deployment. The risk of a deployment delay was eventually realized, as SBA delayed UCP deployment to address system issues identified during testing. SBA subsequently deployed the UCP system on October 18, 2024, but work remains to develop additional, more complex functionality, secure the system, and migrate data. GAO's analyses of SBA's efforts show that leading practices for risk management, cybersecurity, and schedule and cost estimation have not been fully implemented. Accordingly, SBA faces an increased risk of additional delays as it completes remaining work and may face challenges with addressing system issues that arise. Extent to Which the Small Business Administration (SBA) Met Selected IT Management Areas for the Unified Certification Platform Modernization IT management area Overall assessment Risk Management ◔ Minimally met Cybersecurity ◑ Partially met Schedule ○ Not met Cost ◔ Minimally met Source: GAO analysis of SBA data. | GAO-25-106963 GAO identified critical management gaps: SBA did not have a project level risk management strategy, a risk mitigation plan, and did not fully identify and document risks. SBA did not document plans for managing cybersecurity risks or conduct a traceability analysis to ensure project security requirements had been met. This increases the likelihood of a successful cyberattack. Further, the project's schedule and cost estimates were unreliable. SBA did not create an integrated master schedule; instead, it used a “road map” that did not meet the characteristics of a reliable schedule. SBA's cost estimate largely relied on subject matter expertise instead of supporting data or methodologies. SBA issued an interim authority to operate for the system in August 2024 while it continues to implement IT security controls. Under schedule pressure, SBA could decide to accept known risks and issue a final authorization to operate with issues not being fully resolved. If taking such an action, consideration of the probability and resulting impact of accepted risks is essential. Why GAO Did This Study In fiscal year 2023, the federal government awarded $178.6 billion in contracts to small businesses. SBA promotes small business participation in federal contracting through a variety of contracting assistance programs. These programs rely on multiple IT systems. However, SBA's past attempts to modernize its IT systems experienced challenges and did not deliver expected results. GAO was asked to review SBA's Unified Certification Platform project. This report (1) describes the project's plans and status, and (2) evaluates the extent SBA has adopted leading practices for risk management, cybersecurity, and schedule and cost estimation for the project. To do so, GAO summarized and analyzed relevant documentation and compared SBA's risk management, cybersecurity, and schedule and cost estimation efforts to leading practices. GAO also interviewed SBA officials.

What GAO Found The Veterans Health Administration's (VHA) Readjustment Counseling Service (RCS) leases facilities to provide counseling at over 300 Vet Centers and satellite locations. RCS monitors the physical condition of these facilities through annual inspections. RCS's inspection process identified physical condition issues at 13 percent of Vet Centers in fiscal year 2023, according to GAO's analysis of RCS data. RCS addresses such issues and improves Vet Centers through projects ranging from replacing furniture to expanding space. RCS's processes fully align with two of the six key characteristics of GAO's asset management framework, and partially align with four (see table). For example, RCS maintains leadership support and a collaborative organizational culture around asset management. However, developing an asset management plan and refining policies could help RCS ensure its assets support its mission, prioritize improvements to Vet Centers, and collect better inspection data. Also, better evaluation of asset management practices could help RCS ensure that these processes help RCS meet its counseling mission. Alignment of Readjustment Counseling Service's Asset Management Processes with Key Characteristics of GAO's Asset Management Framework Characteristic RCS processes Alignment Leadership support RCS leadership supports asset management and provides necessary resources. Fully aligns Collaborative organizational culture RCS promotes a culture of information sharing regarding their assets. Fully aligns Establishing policies and plans RCS has some policies related to asset management but does not have a strategic asset management plan that ties to its mission. Partially aligns Maximizing asset value RCS has some policies that consider mission need when identifying new locations but does not have policies for prioritizing improvements. Partially aligns Using quality data RCS collects some data on leasing and improvements but does not consistently collect quality inspection data. Partially aligns Evaluating asset management RCS evaluates some aspects of its inspection process but does not fully evaluate the performance of its asset management practices. Partially aligns Source: GAO analysis of Readjustment Counseling Service (RCS) information and GAO 19-57 | GAO-25-106781. RCS recently worked with VHA's actuarial contractor to develop a VHA model to project demand for counseling and identify where to locate future Vet Centers to better meet veterans' needs. GAO found that RCS's processes for developing the model do not fully align with three of eight actuarial key practices and internal control standards in four areas. Specifically, (1) RCS does not validate the data it provides the contractor, and RCS also does not require the contractor to provide (2) information on the contractor's assumptions, (3) documentation of its model validation, or (4) information on model uncertainty. By better aligning its modeling processes with key practices and internal control standards, RCS could better ensure it locates Vet Centers where demand is greatest. Why GAO Did This Study VHA's 303 Vet Centers provide counseling services to eligible veterans, servicemembers, and their families who are experiencing challenges from readjusting to civilian life or continuing military service. The National Defense Authorization Act for Fiscal Year 2023 includes a provision for GAO to review the physical infrastructure of Vet Centers. This report examines (1) how VHA monitors the physical condition of its facilities; (2) the extent to which VHA's processes align with key characteristics of GAO's asset management framework; and (3) the extent to which VHA's model for assessing future location needs aligns with selected key practices and standards, among other issues. GAO analyzed RCS data on leasing and inspections and its demand model. GAO visited three Vet Centers selected based on factors including location and recent inspection results. GAO reviewed documents and interviewed RCS officials to determine the extent to which RCS's processes align with key asset management characteristics, actuarial practices, and internal control standards. GAO also interviewed a non-generalizable sample of Vet Center directors and regional officials.

What GAO Found The Inflation Reduction Act of 2022 (IRA) provided appropriations of about $385 million for new and existing programs that serve Tribes and their citizens. This additional funding has increased the workload for Indian Affairs components implementing IRA programs. Indian Affairs officials said that the workload and competing priorities strain the agency's already-limited workforce capacity. For example, new funding streams increased the workload of Awarding Officials, particularly since only six can approve more complex construction projects. Increase in Inflation Reduction Act of 2022 (IRA) Workload Across Department of the Interior's Indian Affairs Awarding Officials Staff in several components implementing the IRA have regularly worked additional hours per pay period to meet workload demands, based on GAO's analysis of workforce data, and most of the components GAO interviewed described significant vacancies. The IRA appropriated $9.5 million for administrative costs to implement IRA programs that serve Tribes and their citizens, usable over the entire time period when these appropriations are available. Thus far, Indian Affairs has used these administrative funds—supplemented with baseline appropriations—to hire additional staff and contractors. However, Indian Affairs has not yet documented lessons learned from its use of these funds to meet the increased workload and the impact this had on other mission needs. Documenting this information could help Indian Affairs prepare for future administrative costs. In addition, Congress could use this information to help inform decisions about future appropriations. Indian Affairs identified opportunities to improve its capacity through, for example, training and streamlining hiring. However, efficiency challenges—such as lack of written guidance for recruitment and burdensome hiring processes—limit its capacity, and officials said that budget uncertainty impedes sustained investment in capacity-building efforts. Indian Affairs has not identified the resources it needs to pursue capacity-building opportunities. Developing a proposal for Department of the Interior or Congress that identifies these needs could help Indian Affairs improve its capacity and capitalize on legislative opportunities to ensure the agency has the resources it needs to effectively provide essential services to Tribes and their citizens. Why GAO Did This Study Indian Affairs provides services directly to Tribes or funding for tribally administered programs, including support for tribal government operations, law enforcement, natural resource management, and climate preparedness and resilience. GAO has previously reported on lessons learned from Indian Affairs' implementation of major legislation and long-standing challenges with the agency's capacity to manage programs that serve Tribes. The IRA includes a provision for GAO to oversee distribution and use of IRA funds. This report examines how IRA implementation has affected Indian Affairs' capacity, actions the agency has taken to improve capacity that could help meet IRA workload, and opportunities to improve Indian Affairs' capacity. GAO reviewed relevant laws, agency documents, and agency data. GAO interviewed federal officials, federal tribal advisory groups, and tribal organizations selected based on knowledge of Indian Affairs' work with Tribes.

What GAO Found After disruptions during the COVID-19 pandemic in 2020, the Food and Drug Administration (FDA) had largely resumed conducting in-person inspections of foreign and domestic drug manufacturers by March 2022. FDA data show it conducted 621 foreign and 444 domestic inspections in fiscal year 2023, although there were 36 percent fewer than in fiscal year 2019. This decrease was due in part to reduced investigator capacity, according to FDA. As of May 2024, FDA had also progressed with the implementation of two pilot programs intended to address challenges unique to foreign inspections: conducting unannounced inspections and utilizing independent interpreters. FDA expanded the use of alternative tools to maintain oversight of drug manufacturing during the pandemic. FDA has continued to use one tool—relying on inspection reports from trusted foreign regulators—in lieu of conducting inspections. However, FDA's use of other tools—remote assessments of information from manufacturers—has declined and will largely be reserved for more targeted use now that inspections have resumed, according to FDA. GAO previously reported that as of November 2021, FDA had taken steps to reduce vacancies among its drug inspection workforce. However, since then, investigator attrition has generally outpaced hiring and has resulted in a large number of relatively inexperienced investigators. FDA told GAO this has limited the number of inspections FDA can complete. FDA identified root causes of attrition as the frequency and conditions of travel, pay, insufficient training, heavy workload, and issues of work-life balance. It is implementing action plans to address pay and training. FDA has not yet developed action plans to fully address travel, workload, and work-life balance because potential solutions may not allow FDA to meet its inspection needs. However, the continued loss of experienced investigators is already affecting FDA's ability to meet inspection goals. Therefore, developing and implementing action plans to address these remaining root causes will help FDA maintain the experienced workforce it needs to oversee global drug manufacturing. This will require continued collaboration with leadership and other stakeholders to identify any actions, resources, or new authorities necessary to implement such plans. FDA Drug Investigator Vacancies, November 2021–June 2024 Why GAO Did This Study FDA, an agency within the Department of Health and Human Services (HHS), inspects foreign and domestic drug manufacturers as a key oversight tool to ensure the safety and quality of drugs marketed in the U.S. In response to travel disruptions caused by the COVID-19 pandemic, FDA paused many inspections and relied on the use of alternative inspection tools to oversee drug manufacturing. The Consolidated Appropriations Act, 2023, includes a provision for GAO to report on the status of FDA's foreign drug inspections and its use of alternative tools. This report describes the status of FDA in-person inspections, describes FDA's use of alternative tools, and examines FDA investigator vacancies and the agency's efforts to address them, among other objectives. For this work, GAO examined FDA data and documents and interviewed FDA officials and investigators who conducted inspections and used alternative tools. GAO also reviewed documents from and interviewed six stakeholder groups that represent the major components of the drug manufacturing industry.

What GAO Found Out of 11 key practices for performance evaluation, all four military service systems fully incorporated the same five key practices and partially incorporated one key practice. The service systems varied in their implementation of the remaining five practices. Some fully incorporated the practices, some partially incorporated them, and most did not incorporate one practice. Assessment of the Military Services' Officer Performance Evaluation Systems against GAO's Key Practices for Performance Evaluation Note: Fully incorporated: GAO found complete evidence that satisfied the key practice. Partially incorporated: GAO found evidence that satisfied some portion of the key practice. Not incorporated: GAO found no evidence that satisfied the key practice. For example, GAO found that all four service systems fully incorporated the key practice that organizations should establish and communicate a clear purpose for the performance evaluation system by stating the purpose of their systems in relevant policies. In contrast, GAO found that three service systems did not incorporate the practice that organizations should align individual performance expectations with organizational goals because their systems' policies neither align performance expectations with organizational goals nor direct rating officials to do so. By fully incorporating all 11 key practices, the services will have better assurance that their performance evaluation systems are designed, implemented, and regularly evaluated to ensure effectiveness. The 19 promotion board members and 31 active duty officers GAO interviewed provided differing perspectives on the value of information in officer performance evaluation reports and on the extent to which reports support officer development. Promotion board members stated that evaluation reports provided sufficient information to inform their decisions about which officers to recommend for promotion. Some active duty officers stated that the reports provide a clear and relevant tool for assessing performance and supporting officer development. Conversely, others stated that factors such as misused or overused narrative may prevent a clear picture of officer performance areas in need of growth. Why GAO Did This Study Military service performance evaluation systems provide necessary performance information for approximately 215,000 active duty commissioned officers across the Department of Defense (DOD). They also support decisions about officer promotions and placements. These decisions affect the composition and quality of the military's current and future leadership. Public Law 117-263 includes a provision for GAO to review the military services' officer performance evaluation systems. This report examines (1) the extent the military services' active duty officer performance evaluation systems incorporate key practices for performance evaluation, and (2) how officer performance evaluations inform promotion board determinations and support officer development. GAO developed 11 key practices for performance evaluation; reviewed military service policies, manuals, forms, and other documentation; conducted nongeneralizable interviews with 19 promotion board members and 31 active duty officers; and interviewed DOD officials.

As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities. Implementing our related prior recommendations can help HHS in its leadership role. The Big Picture Over the last several years, there have been increased cyberattacks in the healthcare and public health critical infrastructure sector. Recently, in February 2024, Change Healthcare (a health payment processor) became the victim of a ransomware cyberattack that involved the theft of data resulting in estimated losses of $874 million and widespread impacts on healthcare providers and patient care. Illustration of Example Ransomware Cyberattack Impacts As the lead federal agency for the healthcare and public health sector, HHS is responsible for strengthening cybersecurity in the sector. These responsibilities include coordinating with the Cybersecurity and Infrastructure Security Agency (CISA), the national coordinator for critical infrastructure security and resilience. What GAO’s Work Shows Our prior work has highlighted HHS' challenges in carrying out its lead responsibilities for sector cybersecurity. The department has not yet implemented all our recommendations to address these challenges. Supporting Healthcare Cyber Risk Management HHS has several initiatives intended to mitigate ransomware risks for healthcare and public health. Nevertheless, our prior work has found that the department had not adequately monitored the sector's implementation of ransomware mitigation practices. For example, in January 2024, we reported that HHS released results of an analysis of U.S. hospitals' cybersecurity. Among other things, the analysis found that participating hospitals had self-assessed that they had adopted 70.7 percent of the National Institute of Standards and Technology Cybersecurity Framework's functional areas of identify, detect, protect, respond, and recover. However, at the time of our report, HHS was not yet tracking adoption of the ransomware-specific practices outlined in the framework. Although HHS officials told us that they would be able to assess implementation of key concepts in the framework, the department did not provide evidence of its efforts to do so. Without full awareness of the sector's adoption of cybersecurity practices, HHS risks not directing resources where needed. We recommended that HHS, in coordination with CISA and sector entities, determine the sector's adoption of leading cybersecurity practices that help reduce ransomware risk. Our January 2024 report also found that HHS had not evaluated the effectiveness of the support it provides to the sector. Specifically, we reported that HHS provided various types of support, such as guidance documents, training, job aids, and threat briefings to help the sector manage ransomware risks. However, the department did not demonstrate that it evaluated which type of support would be the most effective. As a result, the department could not fully address concerns about communication, coordination, and timely sharing of threat and incident information. We recommended that HHS, in coordination with CISA and sector entities, develop evaluation procedures to measure the effectiveness of its support in helping to reduce ransomware risk. Assessing Sector Cybersecurity Risks In addition to IT, the sector relies on Internet of Things (IoT) and operational technology (OT) devices and systems to provide essential healthcare and public health services. In December 2022, we reported that HHS had ongoing risk activities for medical devices, a specific type of IoT device. However, HHS had not conducted a comprehensive sector-wide cybersecurity risk assessment addressing IoT and OT devices. As a result, the department did not know what additional security protections were needed to address growing and evolving threats. We recommended that HHS include IoT and OT devices as part of the risk assessments of the sector's cyber environment. Coordinating and Collaborating for Sector Cybersecurity Within HHS, the Administration for Strategic Preparedness and Response (ASPR) is responsible for leading collaboration efforts to strengthen the security and resilience of the sector. In June 2021, we reported that ASPR was leading or co-leading several working groups focused on supporting the sector. In doing so, we determined that ASPR demonstrated most leading collaboration practices for those working groups. However, it did not fully or consistently: monitor the working groups' progress towards meeting defined goals, clarify responsibilities for carrying out the groups' roles, or regularly update the charter describing how the working groups are to collaborate. As a result, ASPR could not ensure that it was effectively collaborating to improve cybersecurity. We recommended that ASPR take action to fully and consistently demonstrate leading collaboration practices . Our May 2020 report found that the Centers for Medicare and Medicaid Services (CMS)—an HHS component agency—established cybersecurity requirements to protect the data that it shares with state government agencies. However, these requirements often had parameters that conflicted with those established by other federal agencies that share data with states, such as the Social Security Administration. An example of a conflicting parameter is agencies defining different values for the number of consecutive unsuccessful log-on attempts prior to user lockout. We also determined that while CMS had policies in place for coordinating with state agencies when assessing states' cybersecurity, they did not have such policies on coordinating with other federal agencies on the assessments. The conflicting parameters can place an unnecessary burden on state officials' time and resources. This in turn could lead to reduced attention on other important cybersecurity efforts. We recommended that CMS solicit input from relevant federal agencies on revisions to its security policy to ensure consistency across cybersecurity requirements for state agencies. We also recommended that CMS revise its assessment policies to maximize coordination with other federal agencies. Until HHS implements our prior recommendations related to improving cybersecurity, the department risks not being able to effectively carry out its lead agency responsibilities, resulting in potential adverse impact on healthcare providers and patient care. For more information, contact: Jennifer R. Franks, FranksJ@gao.gov, (404) 679-1831.

What GAO Found Restrictive software licensing practices include vendor processes that limit, impede, or prevent agencies' efforts to use software in cloud computing. Officials from five of the six selected agencies described multiple impacts that they had experienced from restrictive software licensing practices. The agencies impacted were the Departments of Justice (DOJ), Transportation (DOT), and Veterans Affairs (VA); the National Aeronautics and Space Administration (NASA); and the Social Security Administration (SSA). Officials from the remaining agency, the Office of Personnel Management (OPM), reported that it had not encountered any restrictive licensing practices. The following table summarizes the impacts. Impacts from the Restrictive Licensing Practices Experienced by Five Selected Agencies Type of impact Description of restrictive practice Number of agencies experiencing impact Cost increase (4 agencies) Vendor required repurchase of same licenses for use in cloud. 3 Vendor charged additional fees to use its software on infrastructure from other cloud service providers. 2 Vendor charged more (e.g., a conversion fee) to migrate its software to the cloud under an agency's existing licenses used in on-premise systems. 1 Limit on choice of cloud service provider or cloud architecture (3 agencies) Vendor required or encouraged agencies to use its software on that vendor's own cloud infrastructure (i.e., encouraged vendor lock-in). 3 A contractor that migrated an agency's data into a vendor's cloud infrastructure required the agency to pay to regain ownership of the data at the end of the contract, which encouraged vendor lock-in. 1 A vendor for an on-premise private cloud did not allow another vendor's software to be used with its hardware, thereby creating vendor lock-in. 1 Source: GAO analysis of information provided by agency officials. | GAO 25 107114 None of the six selected agencies had fully established guidance that specifically addressed the two key industry activities for effectively managing the risk of impacts of restrictive practices. These activities are to (1) identify and analyze potential impacts of such practices, and (2) develop plans for mitigating adverse impacts. Furthermore, of the five agencies that reported encountering restrictive practices, three agencies partially implemented the key activities to manage those restrictive practices and the other two agencies—DOT and VA—did not demonstrate that they had fully implemented either of the activities. Key causes for the selected agencies' inconsistent implementation of the two activities included that (1) none of the agencies had fully assigned responsibility for identifying and managing restrictive practices, and (2) the agencies did not consider the management of restrictive practices to be a priority. Until the agencies (1) update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices, and (2) assign responsibility for identifying and managing such practices, they will likely miss opportunities to take action to avoid or minimize the impacts. Why GAO Did This Study Cloud computing can often provide access to IT resources through the internet faster and for less money than owning and maintaining such resources. However, as agencies implement IT and migrate systems to the cloud, they may encounter restrictive software licensing practices. GAO was asked to review the impacts of restrictive software licensing on federal agencies. This report (1) describes how restrictive software licensing practices impacted selected agencies' cloud computing services and (2) evaluates the extent to which selected agencies effectively managed the potential impact of such practices. To do so, GAO interviewed IT and acquisition officials from six randomly selected agencies and 11 selected cloud investments within those agencies. These investments included a mix of cloud computing types, among other things. GAO also assessed relevant policies and documentation of agency efforts to manage restrictive licensing practices and compared them to key activities for risk and acquisition management identified by industry.

What GAO Found GAO identified three technologies in science, technology, and engineering that are trending toward maturity. These technologies are: Gene editing to treat or prevent disease, which may advance treatments for diseases such as cystic fibrosis. The development of gene editing may be limited by ethical concerns, particularly when factors such as whether the results of such editing can be inherited by children are included. Implications of such technologies include the high costs—currently over $2 million per patient—and whether federal funds may be used for certain types of gene editing. A potential consideration for policymakers, such as legislative bodies, government agencies, and other groups, is how the current federal funding restrictions may affect future gene editing research. Space-based manufacturing of semiconductor crystals, which may enable the production of high-quality semiconductors. The unique conditions of space—such as microgravity, a natural vacuum, and reduced contamination—could enable the production of semiconductor crystals with fewer defects and greater purity than those manufactured on Earth. These semiconductors could lead to more powerful computers, faster communication systems, and improved consumer electronics. The implications of such technologies include the dependency on foreign supply chains for raw materials, and safeguarding the spacecraft needed for enabling such manufacturing. A potential consideration for policymakers is whether a comprehensive licensing framework for investment, development, and intellectual property protection would benefit the development of these technologies. Biodegradable bioplastics, which may help reduce microplastic pollution through recent innovations, including algae-based or self-biodegradable bioplastics. The implications of such technologies include carbon dioxide emissions from biodegradation as well as increased complexity for consumers to make eco-friendly choices. Potential considerations for policymakers are increased clarity for labeling of such technologies, such as explicit notation of the conditions needed for biodegradation, and increased consumer education to help align the expectations of the technologies’ end of life procedures with consumer behavior. Why GAO Did This Study Science and technology are constantly evolving, and there is a need for analysis of emerging trends of the future to help prepare for disruptions that may have major impacts in the lives of Americans. To address this need, GAO developed this report focused on technologies approximately 10 years on the horizon. The goal is to provide foresight into developing technologies that could have significant impacts on Americans. GAO described developments in these technologies and how they may be affected by various elements which may be useful for policymakers, such as legislative bodies, government agencies, or other groups, to consider. These elements include the five domains in the STEER framework: social impacts, technology drivers, environmental impacts, economic drivers, and the regulatory landscape. To conduct this work, GAO relied on a review of scientific literature from academic journals and position papers and held semi-structured interviews with five experts across the three technologies. GAO relied on the judgment of its engineers and scientists and consideration of the collected information to describe key aspects of the technological trends, including identifying technological developments, market conditions, or economies of scale that could further accelerate the maturity of these new technologies, and considerations for policymakers.; For more information, contact Sterling Thomas, PhD, at (202) 512-6888 or ThomasS2@gao.gov or Stephen Sanford, at (202) 512-4707 or sanfords@gao.gov.

What GAO Found Early in the pandemic, federal agencies prioritized swiftly distributing funds and implementing new programs to help businesses and individuals adversely affected by COVID-19. While this swift response helped meet urgent needs, it involved trade-offs that put billions of dollars at increased risk for improper payments, including overpayments. Small Business Administration (SBA) and Department of Labor (DOL) programs accounted for a large portion of COVID-19 relief funding and experienced heightened improper payment risks. SBA provided more than $1 trillion in loans and grants, primarily through the Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loans (EIDL). DOL's Unemployment Insurance (UI) program expenditures totaled about $900 billion. For fiscal year 2023, SBA reported an estimated 40.5 percent of PPP loan forgiveness and 49.2 percent of PPP guarantee purchase payments were improper. DOL estimated 35.9 percent of Pandemic Unemployment Assistance payments were improper. SBA loan review processes. For both the PPP and COVID-19 EIDL, SBA loan review processes are not effectively identifying overpayments. Further, SBA could not demonstrate how it accounted for overpayment risks associated with new PPP lenders in its review processes. Including lenders in the financial technology sector helped the PPP reach borrowers. However, it also increased the risk of overpayments as SBA relied on these lenders' processes and controls as part of review and approval of borrower loan applications. DOL guidance and procedures. Pandemic-related UI programs generally follow guidance in DOL's regular UI program letters. This guidance lists three administrative functions to help ensure UI program integrity. States must (1) detect benefits paid through error, (2) deter claimants from obtaining benefits through willful misrepresentation, and (3) recover overpaid benefits under certain circumstances. DOL provides resources to states to assist with recoveries of pandemic-related UI overpayments. This includes training on updated guidance and procedures, funding opportunities to help states ensure timely benefit payments, and tools to facilitate more effective identity verification processes. Overpayment recovery efforts. SBA tracks certain data related to PPP and COVID-EIDL improper payments, but it does not have a sufficient process for tracking identified overpayments and subsequent recoveries. Without these data, SBA cannot ensure that it is maximizing the potential of certain recovery methods, which may limit recoveries. DOL's UI recovery rate calculation does not include all identified overpayments. DOL subtracts waived overpayments from its calculation, which may inflate the recovery rate. States have had little success in recovering overpayments. As of April 2024, states recovered approximately $3.7 billion of the $55.2 billion overpayments identified in the pandemic-related UI programs from March 2020 through September 2023. Further, DOL did not set an overpayment recovery rate baseline for states to meet. Including a measurement of success in guidance to State Workforce Agencies could better position DOL to monitor states' efforts to recover overpayments from future temporary programs. Why GAO Did This Study In response to the COVID-19 pandemic, Congress provided funding to assist small businesses through SBA's PPP and COVID-19 EIDL programs. Congress also created four temporary DOL UI programs to support workers adversely affected by the pandemic. The demand for these programs and the need to deliver aid quickly increased the risk of improper payments, including overpayments. Effective post-payment control processes help agencies to identify and recover overpayments after they have occurred. The CARES Act includes a provision for GAO to monitor COVID-19 pandemic relief funds. This report (1) examines the extent to which SBA and DOL have developed processes for identifying and recovering COVID-19 overpayments and (2) analyzes the success of agency efforts in recovering COVID-19 overpayments. GAO analyzed SBA and DOL documentation regarding overpayment identification and recovery efforts, reviewed relevant laws and guidance, analyzed public datasets, and interviewed federal officials.

What GAO Found The Department of Justice (DOJ) closed a higher volume of FBI whistleblower retaliation complaints from 2018 to 2022 compared to GAO's last review of complaints closed from 2009 to 2013. See figure for the number of complaints DOJ closed since GAO's last report. FBI Whistleblower Retaliation Complaints Closed by Department of Justice from 2009 through 2013 and 2018 through 2022 DOJ took 7 years to update its regulations to address the FBI Whistleblower Protection Enhancement Act of 2016, which, among other things, provides that FBI employees can report wrongdoing, or make protected disclosures, to supervisors in their direct chain of command. Until DOJ updated its regulations in 2024 to align with the statute, some complainants experienced difficulties when making protected disclosures to supervisors. Identifying an office primarily responsible for a regulation involving multiple components and establishing anticipated time frames for the stages of the rulemaking process can help ensure regulations are timely issued. Statutory changes in fiscal year 2023 provide FBI employees with rights to seek relief from the U.S. Merit Systems Protection Board. However, the amendments contain ambiguities—such as when determinations and corrective action orders are considered final—creating challenges for DOJ in consistently interpreting the new rights. As a result, DOJ is unable to provide clear information to complainants of their rights. Clarifying the statute would help ensure FBI whistleblower retaliation complainants can appropriately exercise their rights to seek relief from the U.S. Merit Systems Protection Board. Previously, FBI whistleblower retaliation complainants could only appeal within DOJ. DOJ's Office of the Inspector General has a process for reviewing allegations of retaliatory security clearance and access determinations, including suspensions, revocations, and denials. GAO found that four FBI whistleblower retaliation complainants alleged such retaliatory actions from 2018 through 2023. However, mandatory training does not mention DOJ's Office of the Inspector General review of such retaliatory actions. Updating the training would ensure individuals know that they may utilize DOJ's Office of the Inspector General's review to seek corrective action. Further, GAO found that DOJ's policy concerning the review of retaliatory security clearance and access determinations was inconsistent with statute. In July 2024, DOJ updated the policy, but further revisions are needed to ensure complainants receive appropriate corrective action when DOJ's Office of the Inspector General finds that retaliation occurred. Why GAO Did This Study Whistleblowers help safeguard the federal government against waste, fraud, and abuse—however, they also risk retaliation by their employers. FBI employees are protected from retaliation for reporting wrongdoing by specific statutory provisions. DOJ has issued regulations and established a process to handle their complaints. GAO was asked to review DOJ's process for handling FBI whistleblower retaliation complaints since GAO's last report in 2015. This report examines the timeliness and outcomes of complaints, progress DOJ made to address new protections, and the extent to which DOJ and FBI have processes for reviewing retaliatory security clearance and access determinations. GAO reviewed a generalizable sample of 169 FBI whistleblower retaliation complaints closed from 2018 through 2022. GAO also interviewed FBI whistleblowers, attorneys, and advocates as well as officials from DOJ, FBI, and other agencies about the complaint process.

What GAO Found Since GAO's 2015 report, DOJ has made changes to its process for handling FBI whistleblower retaliation complaints. However, areas for improvement remain. During our review of Federal Bureau of Investigation (FBI) whistleblower protections, GAO found that the Department of Justice (DOJ) Office of the Inspector General did not consistently meet regulatory notification requirements to contact FBI whistleblower retaliation complainants within 15 days of receiving the complaint. In reviewing complaints closed from 2018 through 2022, GAO found that the investigating offices did not meet the 15-day requirement in an estimated 46 percent of complaints. GAO also found that mandatory training for FBI employees co-sponsored with the FBI did not communicate that FBI whistleblower retaliation complainants may seek review by DOJ's Office of the Inspector General if they believe a retaliatory security clearance or access determination has been taken in retaliation for a protected disclosure. Why GAO Did This Study Whistleblowers help safeguard the federal government against waste, fraud, and abuse—however they also risk retaliation by their employers. FBI employees are protected from retaliation for reporting wrongdoing by specific statutory provisions. DOJ has issued regulations and established a process to handle their complaints. GAO was asked to review DOJ's process for handling FBI whistleblower retaliation complaints since GAO's report in 2015. GAO is concurrently issuing this management report and a broader report on FBI whistleblower retaliation protections. This management report examines the timeliness of DOJ's Office of the Inspector General notifications to complainants and whether mandatory training clearly communicates that complainants may seek review of retaliatory security clearance and access determinations by DOJ's Office of the Inspector General. The broader report examines timeliness and outcomes of complaints and DOJ and FBI processes for reviewing retaliatory security clearance and access determinations, among other things. GAO examined a generalizable sample of FBI whistleblower retaliation complaints, including complaints closed by DOJ's Office of the Inspector General, from 2018 through 2022. GAO also interviewed FBI whistleblowers, attorneys, and advocates as well as officials from DOJ, FBI, and other agencies about the complaint process.

What GAO Found In fiscal years 2021–2023, the Securities and Exchange Commission (SEC) initiated 21 program inspections of the Financial Industry Regulatory Authority, Inc. (FINRA). These inspections covered eight of the 10 issue areas specified in Section 964 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, including conflicts of interest management and transparency of governance. SEC covered the remaining two areas (former FINRA employees and advertising by FINRA members) in an inspection before 2021, and in a separate review in 2023, respectively. To identify changing risks and priorities for its inspections and examinations, SEC conducts annual planning that incorporates stakeholder input and assesses potential risks. SEC also identifies emerging risks through ongoing monitoring of FINRA, which includes its tips, complaints, and referrals process. Section 964 Areas Covered in SEC Program Inspections of FINRA Initiated in Fiscal Years 2021–2023 In 2022, SEC established new outcome-based performance measures and goals in response to a prior GAO recommendation. SEC reported meeting its performance goals. For example, SEC met its target for findings for which FINRA agreed to take corrective action. This is a public version of a sensitive report GAO issued in July 2024. GAO omitted from this report information that SEC deemed sensitive. Why GAO Did This Study FINRA, a self-regulatory organization, regulates more than 3,300 securities firms doing business with the public in the U.S. SEC oversees FINRA's operations and programs. Section 964 of the Dodd-Frank Wall Street Reform and Consumer Protection Act includes a provision for GAO to triennially report on specified aspects of SEC's oversight of FINRA. GAO issued prior reports in May 2012 (GAO-12-625), April 2015 (GAO-15-376), July 2018 (GAO-18-522), and a sensitive report in July 2021 (GAO-21-576SU) that was followed by a public version in December 2021 (GAO-22-105367). This report examines the (1) extent to which SEC's oversight in fiscal years 2021–2023 included the areas specified in Section 964 and ways in which it incorporated changing risks, and (2) SEC's steps to assess recent changes to its FINRA oversight. GAO examined case files for SEC reviews of FINRA for fiscal years 2021–2023; reviewed SEC policies, procedures, and analyses; and interviewed SEC and FINRA staff. For more information, contact Michael E. Clements at (202) 512-8678 or ClementsM@gao.gov.

What GAO Found In fiscal year 2024, the Internal Revenue Service (IRS) collected about $5.1 trillion in taxes and paid out more than $553 billion in tax refunds, credits, and other payments. 2024 IRS Collections of Federal Taxes, by Type In GAO's opinion, IRS's fiscal years 2024 and 2023 financial statements are fairly presented in all material respects, and although internal controls could be improved, IRS maintained, in all material respects, effective internal control over financial reporting as of September 30, 2024. GAO's tests of IRS's compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements disclosed no instances of reportable noncompliance in fiscal year 2024. Limitations in the systems IRS uses to account for federal taxes receivable and other unpaid assessment balances, as well as other control deficiencies that led to errors in taxpayer accounts, continued to exist during fiscal year 2024. These control deficiencies affect IRS's ability to produce reliable financial statements without using significant compensating procedures. These control deficiencies are significant enough to merit the attention of those charged with governance of IRS and therefore represent a continuing significant deficiency in internal control over financial reporting. Continued management attention is essential to fully addressing this significant deficiency. IRS continued to take steps to address deficiencies in its internal control over financial reporting. IRS sufficiently addressed certain information system control deficiencies such that GAO no longer considers the control deficiencies in this area, individually or collectively, to represent a significant deficiency. However, it is important for IRS management to continue to build on the progress it has made in addressing control deficiencies. In commenting on a draft of this report, IRS stated that it was pleased to receive an unmodified opinion on its financial statements. IRS also commented on its progress in reducing open recommendations and in resolving a significant deficiency in information system controls. IRS also noted its intention to continue working to improve its internal controls. Why GAO Did This Study In connection with fulfilling GAO's requirement to audit the consolidated financial statements of the U.S. government, and consistent with its authority to audit statements and schedules prepared by executive agency components, GAO has audited IRS's financial statements because of the significance of IRS's tax collections to the consolidated financial statements of the U.S. government. GAO annually audits IRS's financial statements to determine whether (1) the financial statements are fairly presented and (2) IRS management maintained effective internal control over financial reporting. GAO also tests IRS's compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements. IRS's tax collection activities are significant to overall federal receipts, and the effectiveness of its financial management is of substantial interest to Congress and the nation's taxpayers. For more information, contact Dawn B. Simpson at (202) 512-3406 or simpsondb@gao.gov.

What GAO Found For the audit period of this report, the Single Audit Act requires nonfederal entities that spend $750,000 or more in federal awards in a year to undergo a single audit, which is an audit of an entity's financial statements and federal awards, or in select cases a program-specific audit. The Office of Management and Budget's (OMB) single audit guidance requires that federal awarding agencies ensure that award recipients submit single audit reports timely. As federal awarding agencies, the Department of the Interior and the Department of the Treasury track the submission of required single audit reports from tribal recipients (see figure). Interior appropriately designed procedures to identify and track tribal recipients that did not submit required single audit reports or were not required to do so, but Treasury has not. Treasury stated that it did not have existing single audit processes when its COVID-19 relief programs were established. By finalizing and implementing such procedures, Treasury could better ensure that its recipients are meeting its program requirements. Single Audit Report Submissions Tracked by Interior and Treasury for Tribal Recipients Awarded COVID-19 Relief Funds, Fiscal Years 2020 through 2022, as of October 31, 2023 OMB's single audit guidance also requires awarding agencies to follow up on single audit findings to ensure that award recipients take timely and appropriate action to correct deficiencies identified by the audits. GAO found that both Interior and Treasury have policies and procedures to review findings and issue management decisions on the adequacy of tribal entities' plans to correct findings, but Treasury did not issue timely management decisions. In addition, neither agency has procedures for appropriately monitoring the implementation of tribal entities' corrective action plans. Until Interior and Treasury develop such procedures, these agencies may be missing opportunities to improve their oversight of federal awards and to help tribal entities address findings. Interior and Treasury assisted tribal entities that received COVID-19 relief funds in complying with funding and single audit requirements. In general, tribal-serving organizations and a tribal official that GAO spoke with stated that Interior and Treasury have improved their assistance since the beginning of the COVID-19 pandemic. However, the tribal-serving organizations also noted that agency assistance did not fully consider the unique needs of tribal recipients and offered suggestions for enhancing such assistance. Why GAO Did This Study Treasury and Interior awarded $32.7 billion in COVID-19 relief funds to tribal entities, including two of the largest COVID-19 relief programs for tribal governments. Under the Single Audit Act, federal agencies are required to provide oversight for the funds that they award. The CARES Act includes a provision for GAO to report on its ongoing monitoring efforts related to the COVID-19 pandemic. This report examines Interior's and Treasury's policies and procedures for (1) tracking the timely submission of required single audit reports from tribal entities to which the agencies awarded COVID-19 relief funds and (2) reviewing and following up on the findings of these audits. It also describes the assistance these agencies provided to tribal entities to help them navigate the single audit process. GAO interviewed agency officials, three tribal-serving organizations, and a Tribe; analyzed agency data on tribal recipients of COVID-19 relief funds and tribal single audit submissions; and reviewed relevant federal statutes, regulations, and agency policies and procedures related to tracking and reviewing single audit reports.

What GAO Found GAO found (1) the Bureau of the Fiscal Service's Schedules of Federal Debt for fiscal years 2024 and 2023 are fairly presented in all material respects and (2) Fiscal Service maintained, in all material respects, effective internal control over financial reporting relevant to the Schedule of Federal Debt as of September 30, 2024. GAO's tests of selected provisions of applicable laws, regulations, contracts, and grant agreements related to the Schedule of Federal Debt disclosed no instances of reportable noncompliance for fiscal year 2024. Over the past 10 years, from fiscal year 2014 through fiscal year 2024, total federal debt managed by Fiscal Service has increased from $17.8 trillion to $35.5 trillion. Total Federal Debt Outstanding, September 30, 2014, through September 30, 2024 Note: A small amount of total federal debt is not subject to the debt limit. During fiscal year 2024, total federal debt increased by about $2.3 trillion, with about $2.0 trillion of the increase in debt held by the public. The primary reason for increases in debt held by the public is a consequence of borrowing to finance annual budget deficits. The budget deficit for fiscal year 2024 was $1.8 trillion. Additionally, interest on debt held by the public has increased significantly over the last 3 fiscal years, from $497 billion in fiscal year 2022 to $909 billion in fiscal year 2024 (an 83 percent increase). The statutory debt limit was last raised on December 16, 2021. On June 3, 2023, the Fiscal Responsibility Act of 2023 was enacted, suspending the debt limit through January 1, 2025, thereby covering all of fiscal year 2024. Absent action to increase or suspend the debt limit by the end of the current suspension period, on January 2, 2025, the debt limit will be increased to the amount of qualifying federal debt securities outstanding on that date. The current approach to the debt limit has created uncertainty and disruptions in the Treasury securities market and increased borrowing costs. Under current policy, spending is expected to exceed revenue, resulting in persistent and widening budget deficits, causing debt held by the public to rise continuously relative to the economy. The federal government is on an unsustainable fiscal path over the long term. Why GAO Did This Study GAO audits the consolidated financial statements of the U.S. government. Because of the significance of the federal debt to the government-wide financial statements, GAO audits Fiscal Service's Schedules of Federal Debt annually to determine whether, in all material respects, (1) the schedules are fairly presented and (2) Fiscal Service management maintained effective internal control over financial reporting relevant to the Schedule of Federal Debt. Further, GAO tests compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements related to the Schedule of Federal Debt. Federal debt managed by Fiscal Service consists of debt held by the public and intragovernmental debt holdings. Debt held by the public primarily represents the amount the federal government has borrowed to finance cumulative cash deficits and is held by investors outside of the federal government. Intragovernmental debt holdings represent federal debt owed by Treasury to federal government accounts that typically have an obligation to invest their excess annual receipts (and interest earnings) over disbursements in federal securities.

What GAO Found Between decennial censuses, the Census Bureau (Bureau) Population Estimates Program (PEP) annually disseminates population and housing unit estimates. These annual population estimates are used by state, local, and tribal governments (governmental units) to allocate federal funds, among other purposes. Following the 2020 Census, the Bureau modified its methodology for developing estimates, in part, because of challenges created by the pandemic. Historically, the base for the annual population estimate was the latest decennial census. The Bureau is now using a "blended" population base that, in addition to 2020 Census data, relies on other sources of data, such as demographic analysis (DA). DA estimates are developed from current and historical vital records and other sources. DA estimates are independent from the 2020 Census. According to Bureau officials, there are about 10 ongoing research projects to improve the annual population and housing unit estimates, some of which are multiyear projects. For example, one of those projects is researching how to improve the estimates of the foreign-born population. The Population Estimates Challenge Program (PECP) provides state and local governments the ability to challenge annual population estimates. The Bureau solicited and incorporated feedback from the public to improve the PECP through the Federal Register. For example, the Bureau announced, in the Federal Register, that governmental units are not limited to submitting a challenge digitally. They may still submit a physical copy of the challenge paperwork to the Bureau. According to the public comments, governmental units want the Bureau to accept more data sources when a challenge is submitted. Bureau officials said they are open to accepting more data sources for challenges that are supported by research. The Bureau refers to each population estimate series as a "vintage." For example, Vintage 2022 covers April 1, 2020, through July 1, 2022. The Bureau released the first set of results from the PECP for Vintage 2022 on February 28, 2024. For Vintage 2022, governmental units submitted 12 challenges, according to the Bureau. The Bureau revised population estimates in response to seven of those challenges made through the PECP. Bureau officials told us that of those seven challenges, all localities saw their population change in the direction they expected. Five saw their populations increase and two saw their populations decrease. The other five challenges submitted, that were not accepted, either did not meet Bureau requirements or the locality withdrew the challenge. For example, feedback was given to two of the counties that did not meet Bureau requirements. In both cases the Bureau received a revised submission, but the counties still did not meet the Bureau's guidelines. Why GAO Did This Study A House Report that accompanied the Commerce, Justice, Science, and Related Agencies Appropriations Bill 2023 includes a provision for GAO to review the Bureau's efforts and provide a briefing within 180 days of the Bureau completing its related work on the PECP. We provided that briefing for the Commerce, Justice, Science, and Related Agencies Appropriations Subcommittee House of Representatives and Senate on August 26, 2024. This report summarizes the briefing and describes (1) changes that were made to the PEP and the PECP following the release of 2020 Census data, as well as other changes being considered, and (2) the first set of PECP results that were released in February 2024. GAO reviewed key components of the PEP and PECP methodology changes following the 2020 Census and the Vintage 2022 challenge results. GAO also interviewed Bureau officials about ongoing research and testing for the PEP and PECP, and the rationale for accepting some challenges but not others. For more information, contact Yvonne D. Jones at (202) 512-6806 or jonesy@gao.gov.