What GAO Found Threat actors, such as state-sponsored hackers or criminal groups, are increasingly capable of carrying out cyberattacks on water and wastewater systems. This capability comes from the increasing connections between operational technologies—which control valves, pumps, and other physical devices—and internet-enabled devices. Internet-enabled devices can provide remote access to control pumps and other infrastructure. Remote access can be helpful over large and widely distributed water and sewer systems. However, the convergence of operational technologies and internet-enabled devices has also increased the ability of online attackers to reach critical operational systems. Water and wastewater systems have faced challenges reducing their vulnerability to cyberattacks. For example, systems have varying levels of cybersecurity capabilities. Systems are also managing workforce shortages and older technologies that are difficult to update with modern cybersecurity protections. Systems must also prioritize limited financial resources, so meeting regulatory requirements for clean and safe water may out-compete cybersecurity investments. Water and Wastewater Systems are Vulnerable to Cyberattack In 2024, GAO found that the Environmental Protection Agency (EPA) had not performed key cybersecurity risk management steps for the sector and made recommendations to address these shortfalls. In response, EPA conducted a water sector risk assessment and developed a risk management plan to guide its efforts to mitigate priority risks. GAO also reported that EPA had faced legal challenges in its efforts to ensure water and wastewater entities took action to improve their cybersecurity. In response to GAO’s recommendation to evaluate the sufficiency of its legal authorities, EPA identified several critical gaps. Specifically, EPA identified a lack of cybersecurity risk assessment requirements for wastewater systems and certain drinking water systems. EPA also identified significant limitations in its authority under federal drinking water and clean water laws to address those gaps. GAO will continue to monitor how EPA addresses these limitations. Why GAO Did This Study Recent cyber incidents and security alerts highlight the vulnerability of the close to 170,000 water and wastewater systems that make up the U.S. water and wastewater systems sector (water sector). The water sector is one of 16 critical infrastructure sectors. GAO has identified the cybersecurity of critical infrastructure as a component of the cybersecurity high-risk area, which is one of nine high-risk areas needing focused executive and congressional attention. A successful cyberattack on a water or wastewater system could lead to service disruptions that harm public health or the environment. These systems have already experienced ransomware attacks, which use malicious software to deny access to IT systems or data. EPA is responsible for leading, coordinating, and supporting activities to reduce cybersecurity risk to the water sector. EPA works in partnership with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and other federal, state, and local entities. This statement addresses the cybersecurity challenges facing the water sector and EPA’s actions to address the sector’s cybersecurity risks. This statement is based on GAO’s August 2024 report on cybersecurity risks to U.S. water and wastewater systems (GAO-24-106744); documents provided by EPA in response to GAO’s recommendations; and publicly available information, as of May 2026, regarding challenges and EPA’s water sector cybersecurity efforts. For more information, contact David B. Hinchman at hinchmand@gao.gov or J. Alfredo Gómez at gomezj@gao.gov.

What GAO Found There are 18 intelligence community (IC) elements in the federal government. These elements have implemented a range of guidance through various sources to provide protections to service members under the Uniformed Services Employment and Reemployment Rights Act of 1994, as amended (USERRA). Of these 18 IC elements, seven have statutory requirements under USERRA that are distinct from those of other federal agencies. These statutory requirements are delineated in USERRA under sections 4315 and 4325 of title 38, U.S. Code and include statutory provisions that apply to the seven IC elements listed in the figure below.   These seven IC elements have statutory requirements to provide reemployment protections under USERRA and include five provisions that are statutorily required to be in their guidance. However, GAO found that four of these IC elements—DIA, NRO, NSA, and FBI—have not included all five of these provisions in their guidance. Better meeting the intent of sections 4315 and 4325 of title 38, U.S. Code, could help these four elements stave off potential issues. For example, it could help ensure that service members are not being discriminated against because of their military service. By including in their guidance all five of the IC reemployment provisions that are statutorily required, DIA, NRO, NSA, and FBI can better ensure service members are informed of their rights under USERRA. GAO also found that the seven IC elements have reemployed all service members that went on military duty for 30 days or more from fiscal years 2019 through 2025, according to data reported by officials from these elements. Why GAO Did This Study USERRA prohibits employers from discriminating and retaliating against veterans and service members because of their military status or service. Specifically, USERRA protects the employment and reemployment rights of service members who temporarily leave government or private sector civilian jobs to perform military or other uniformed service. The Senator Elizabeth Dole 21st Century Veterans Healthcare and Benefits Improvement Act includes a provision for GAO to examine how the IC protects rights afforded to service members under USERRA. This report describes the guidance that IC elements have implemented to provide protections to service members under USERRA, and examines the extent to which the seven IC elements include the five provisions that are statutorily required to be in their guidance. GAO assessed guidance against statutory requirements under USERRA, analyzed reemployment and claims data, and interviewed relevant officials about their efforts to provide reemployment protections to service members.

What GAO Found The Veterans Health Administration (VHA) uses the services of external entities, known as business associates, to act on behalf of health care providers or other business associates to create, receive, maintain, or transmit protected health information (PHI). Veterans Affairs (VA) has implemented PHI sharing agreements with these entities to ensure they address requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. GAO reviewed 73 randomly selected sharing agreements and found that 100 percent of them included all 12 HIPAA Privacy Rule requirements for use and disclosure of PHI. Further, VHA documented responsibilities for conducting performance audits to confirm that external entities are protecting veterans’ PHI. VA took steps to secure the health information in a key system used by its Million Veteran Program (MVP), which is focused on examining how genetics, lifestyle, military experiences, and exposures affect health and wellness in veterans. However, deficiencies existed in certain cybersecurity controls related to asset and risk management; configuration management; identity and access management; and continuous monitoring and logging. As a result of these deficiencies, VA had reduced assurance of the confidentiality and integrity of sensitive health information in the MVP. In September 2025, GAO made 13 recommendations to VA to address these deficiencies. Since September 2025, VA implemented nine of the 13 recommendations and partially implemented three others (see figure). GAO will continue to monitor VA’s progress in implementing the remaining recommendations. Figure: VA Progress, as of March 2026, in Addressing 13 GAO Recommendations Made in September 2025 Why GAO Did This Study Within VA, VHA oversees the delivery of health care services to millions of veterans. The amount of PHI used by VHA and shared with external entities highlights the importance of protecting the privacy of PHI. Further, VA is responsible for the cybersecurity of veterans’ sensitive health data, such as information in systems used to support its MVP. Since launching in 2011, about 1 million veterans have joined MVP, making it the nation’s largest biorepository of veteran data. GAO was asked to review VA’s privacy and cybersecurity efforts. In September 2025, GAO issued a sensitive report with limited distribution on the extent to which VHA oversaw the privacy of veterans’ health information shared with external entities, and the extent to which VA protected the confidentiality and integrity of veterans’ health information in its MVP, among other things. In that report, GAO identified security control deficiencies in a system supporting MVP and made 13 recommendations to address them. This report is a public version of the September 2025 report, with sensitive information removed. For this public report, GAO also determined the extent to which VA had taken corrective actions to address the previously identified security control deficiencies and the 13 related recommendations for improvement. GAO reviewed supporting documents and interviewed agency officials regarding VA’s actions to address these recommendations. For more information, contact Jennifer R. Franks at FranksJ@gao.gov.

What GAO Found In 2022 The Office of Science and Technology Policy (OSTP) directed federal agencies to make research results freely accessible to the public immediately when published. In response, seven of the nine agencies GAO reviewed issued updated plans or policies. The Department of Transportation and the Nuclear Regulatory Commission were still drafting updated plans and policies at the time of our review. Five agencies’ plans or policies fully met OSTP’s guidance. The National Science Foundation’s and U.S. Department of Agriculture’s plans did not fully address OSTP’s guidance for reuse rights. These rights describe how others can share, modify, or use the research. Better alignment with OSTP’s guidance could help ensure this research can be built upon by others. Amid the federal shift to public access, publishers are changing their business models to remain viable without subscription revenue and will require authors to pay to have their publications made open access. Agencies allow grant funds to cover these charges. Assuming historical patterns continue, the new policies and publishers' responses may result in significant agency cost growth. This would mean less money for research (see figure). However, only the National Institutes of Health has planned to manage these potential costs. Additional analysis could help other agencies better manage costs, which may triple annually. Estimated Spending on Publishing Charges for Selected Agencies Increased public access can improve the visibility of research and enable readers to identify problems with specific publications more quickly. However, according to stakeholders GAO spoke with, pay-to-publish models may encourage publishers to lower publication standards to publish more articles. In 2024, OSTP published an economic analysis on expanding public access, but it did not fully reflect all five of GAO’s key elements of an economic analysis. Notably, the scope did not address the goal of estimating the potential costs and other effects. Ensuring that future analyses are consistent with the key elements can help agencies better understand the cost implications of their new policies. Why GAO Did This Study The U.S. government is one of the largest funders of scientific research globally. The results of federally funded research are ordinarily shared through scholarly publications. But many of these publications were restricted to paid subscribers. GAO was asked to examine agencies’ efforts to implement OSTP’s 2022 guidance. This report examines: (1) the extent to which selected agencies' public access plans and policies are consistent with federal guidance, (2) how the scholarly publishing industry is responding to the federal shift to public access and how this affects selected agencies and journal market dynamics, (3) the potential effects of expanding public access to federally funded research, and (4) the extent to which OSTP’s 2024 economic analysis of public access followed GAO’s key elements for an economic analysis. GAO selected nine agencies with a mix of research funding levels and assessed their public access plans and policies against OSTP guidelines. GAO reviewed available literature and data and interviewed nongovernmental stakeholders, such as publishers and universities. Further, GAO assessed OSTP’s economic analysis against GAO’s key elements that serve as a framework for assessing an economic analysis.

How to Use the Framework GAO’s framework is a method for assessing AI capabilities and capacity in the U.S. and its competitiveness. A nation’s competitiveness in AI is how well it develops or deploys AI technologies compared to other nations. Policymakers may be interested in knowing how the U.S. compares to other nations in the AI race. GAO developed this framework to help analysts from government, industry, academia, and elsewhere obtain and provide structured information to policymakers about AI competitiveness. The complexity of factors affecting AI competitiveness makes it difficult to decide which factors are more important than others. The framework organizes relevant factors into four pillars: Science & Technology, Human Capital, Governance, and Economy. Each pillar is further divided into subpillars, such as R&D; laws, regulations and policies; workforce; and investment and financing. Analysts can use these pillars and subpillars to systematically consider the breadth of factors relevant to the needs of policymakers seeking information on our nation’s AI capabilities and capacity versus those of other nations. Factors Affecting AI Competitiveness Analysts can use the framework for different purposes and policymaker needs. For example, if U.S. policymakers express interest in helping U.S. companies export AI technologies, analysts can use the framework to rank the U.S. and its peers in their progress toward outcomes of AI competitiveness, such as the ability to influence global technology standards. These rankings can in turn inform policies to help the U.S. improve its AI capabilities, capacity, and competitiveness. The framework involves four steps that allow analysts to tailor their assessment: Focus the assessment by selecting targeted outcomes of AI competitiveness. Identify indicators for measurement or evaluation. Conduct data analysis. Develop policy options and final product. Framework for Assessing AI Competitiveness   Why GAO Developed This Framework Artificial intelligence (AI) could spur economic growth, enhance societal well-being, and improve national security. These possibilities have led to a global AI competition, in which nations that fall behind risk losing economic advantages and global influence. To be competitive, the U.S. needs to consider risks of AI deployment, such as job dislocation and increased energy consumption. Assessing U.S. competitiveness in AI presents challenges. The ability of the U.S. to successfully develop and deploy AI technologies depends on a broad mix of factors, including private and public investment, talent attraction, regulatory environments, and computing infrastructure. GAO was asked to develop a framework to assess U.S. AI capabilities, capacity, and competitiveness compared to other nations. GAO developed this framework to help analysts prioritize among the many factors that affect AI competitiveness. The framework is also designed to help analysts develop policy options to improve U.S. competitiveness. To develop this framework, GAO conducted a literature search to find articles on frameworks and measurements to evaluate AI capabilities and capacity and reviewed key reports on AI competitiveness and assessment methods. GAO also interviewed, surveyed, and met with experts from government agencies, academia, industry, nonprofit organizations, and more. For more information, contact Candice Wright at WrightC@gao.gov. or Sterling Thomas at ThomasS2@gao.gov.

What GAO Found The Department of Energy (DOE) is pursuing options to grout (i.e., immobilize in a concrete-like mixture) a portion of waste from 22 underground storage tanks at the Hanford Site. Specifically, DOE plans to grout about 24 million gallons of waste that has low levels of radioactivity—called low-activity waste (LAW). The waste will then be disposed of at one of two commercial disposal facilities located outside of Washington State. DOE will generally follow five process steps to grout and dispose of Hanford LAW. General Process Steps for Grouting and Disposing of Low-Activity Radioactive Waste from Hanford In December 2025, DOE’s tank waste contractor at the Hanford Site issued a solicitation to prospective subcontractors to submit proposals to grout the waste. As of April 2026, DOE and its contractor are evaluating proposals and plan to award one or more contracts later in 2026. As part of this evaluation, DOE is assessing options regarding where to grout this waste. DOE’s options include, for example, designing and constructing a new grouting facility onsite at Hanford or transporting liquid waste to existing grouting facilities for treatment and permanent disposal. In determining a path forward, DOE must consider a range of factors, including cost and schedule, associated risks, and disposal options. DOE must also consider whether to transport the waste in liquid or grouted form by truck or rail. DOE officials and industry representatives agreed that a reasonable cost estimate for grouting Hanford LAW, in either a new or existing commercial grout facility, ranges from about $20 to $45 per gallon of waste. Accordingly, grouting 24 million gallons of LAW could cost $480 million to $1.1 billion. DOE officials and industry representatives emphasized these costs captured only the grouting process and did not include other key costs, such as transportation, disposal, and the need to address potential organic materials that were added during waste extraction operations and remain in a portion of the waste. DOE is also exploring potential opportunities to continue grouting Hanford LAW beyond the initial 22 tanks. In doing so, DOE officials stated they must holistically consider the costs, schedules, and risks present across all of DOE’s efforts spanning the Hanford Site. They added that pursuing additional grouting opportunities could help the agency to address existing gaps in Hanford’s treatment capability and accelerate cleanup operations at the site. Why GAO Did This Study The Hanford Site in Washington State is home to one of the largest and most expensive environmental cleanup projects in the world. DOE’s mission at Hanford includes addressing approximately 55 million gallons of hazardous and radioactive waste stored in 177 underground tanks that must be retrieved and treated—or immobilized—before disposal. GAO has previously reported that grouting Hanford LAW could accelerate DOE’s cleanup mission and save billions of dollars. Senate Report 119-39 includes a provision for GAO to assess DOE’s available options for grouting Hanford LAW. This report provides information on DOE’s options for grouting, transporting, and disposing of a subset of Hanford LAW and key factors for DOE’s consideration in pursuing identified options. GAO assessed DOE documentation, relevant reports, and prior GAO work on DOE’s cleanup mission at Hanford and its options to treat and dispose of liquid tank waste. GAO also analyzed data from DOE’s Best Basis Inventory on the volume and radioactivity of selected underground storage tanks at Hanford. GAO interviewed DOE officials and industry representatives to identify and assess DOE’s options for grouting and transporting Hanford LAW as well as relevant factors affecting DOE’s decision-making. For more information, contact Nathan J. Anderson at andersonn@gao.gov.

Why This Matters In September 2017, Hurricanes Irma and Maria struck Puerto Rico, causing billions of dollars in damage to its housing, infrastructure, and economy. Paths of Hurricanes Irma and Maria in Puerto Rico, September 2017 Puerto Rico had already experienced a prolonged economic recession before the hurricanes, contributing to increases in mortgage delinquencies and foreclosures. The widespread devastation from Maria raised questions about how foreclosure rates in Puerto Rico might be affected. In November 2023, the Federal Reserve Bank of New York published a report that examined the effects of Irma and Maria on the stability of banks and their ability to lend, as well as the performance of bank-held and federally owned or guaranteed mortgages. Specifically, it compared the performance of mortgages in Puerto Rico before and after Maria, including rates of delinquency, banks’ mortgage loss, and foreclosure. The report also provided information on homeownership rates. According to the report, Maria’s effect on mortgages in Puerto Rico appears to have been mild or short-lived. The following summarizes the report’s key findings. Delinquency Rates At the time Maria struck, more than 10 percent of active mortgages in Puerto Rico were already delinquent. The rate roughly tripled by November 2017 but returned to pre-Maria levels 1 year later. Loss Rates for Bank-Held Mortgages Bank losses on mortgages generally represent the unpaid principal balance of loans in default minus amounts recovered from the proceeds of the sale of the home and mortgage insurance. Banks’ mortgage loss rates can be considered a proxy for estimating mortgage default rates in Puerto Rico. According to the report, various financial protections helped limit bank losses and contributed to relatively mild and short-lived financial effects. For example, mortgage insurance and government assistance helped protect banks from losses on residential mortgages in Puerto Rico. Banks experienced the greatest losses on conventional mortgages without private mortgage insurance. Loans covered by mortgage insurance (private or through the Federal Housing Administration) or guaranteed by the Department of Veterans Affairs were less likely to result in bank losses. These insured or guaranteed loans made up about 37 percent of all loans. Losses were more common among loans that were already troubled before Maria. Foreclosure Rates In response to Maria, the Department of Housing and Urban Development, Federal Housing Administration, Fannie Mae, Freddie Mac, and the U.S. Department of Agriculture imposed a foreclosure moratorium from the fourth quarter of 2017 through the third quarter of 2018. Despite the spike in delinquencies, foreclosures continued to decline during the moratorium. After it was lifted, foreclosures rose for several months before returning to prior trends after about 1 year. Many mortgages foreclosed in 2019 were likely delinquent before Maria, suggesting that the effect of Maria was modest. Homeownership Rates In 2017, homeownership rates in Puerto Rico were comparable to those on the U.S. mainland. However, mortgage financing was less common in Puerto Rico—about 41 percent of owner-occupied homes had a mortgage, compared with about 67 percent on the mainland. According to the report, residents in Puerto Rico’s large informal housing sector (such as homes built on public land and subdivided family plots) may lack title to their property, making it hard to obtain a mortgage. Rates of Return for Housing Developers The Economic Growth, Regulatory Relief, and Consumer Protection Act also required GAO to report on rates of return for housing developers in Puerto Rico, but this analysis could not be conducted because data were not available. Why GAO Did This Study The Economic Growth, Regulatory Relief, and Consumer Protection Act includes a provision for GAO to report on foreclosures in Puerto Rico before and after Hurricane Maria, including rates of delinquency, default, foreclosure, and homeownership. This report summarizes key relevant findings from a November 2023 Federal Reserve Bank of New York report that examined this issue. For more information, contact Jill Naamane at naamanej@gao.gov.

Based on the limited procedures GAO performed in reviewing the performance of the independent public accountant’s (IPA) audit of the Congressional Award Foundation’s financial statements for fiscal year 2024, GAO did not identify any significant issues it believes require attention. Had GAO performed additional procedures, other matters related to the performance of the audit might have come to its attention that it would have reported. The IPA provided an unmodified audit opinion on the Foundation’s financial statements for fiscal years 2024 and 2023. Specifically, the IPA found that the Foundation’s financial statements were presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles. However, for fiscal year 2024, the IPA identified a deficiency related to revenue recognition that it considered to be a material weakness in the Foundation’s internal control over financial reporting. Further, for fiscal year 2024, the IPA did not identify instances of noncompliance or other matters that are required to be reported under U.S. generally accepted government auditing standards. The Foundation concurred with the IPA’s conclusions. GAO’s review of the Foundation’s fiscal year 2024 financial statement audit, as differentiated from an audit of the financial statements, was not intended to enable GAO to express—and it does not express—an opinion on the Foundation’s financial statements or a conclusion on the effectiveness of its internal control over financial reporting. Furthermore, GAO does not express an opinion on the Foundation’s compliance with provisions of applicable laws, regulations, contracts, and grant agreements. The IPA is responsible for its reports on the Foundation and the conclusions expressed therein. GAO provided a draft of this report to the Foundation and the IPA for review and comment. The Foundation’s National Director and the Foundation’s Audit Committee Chair responded in an email that they have taken actions to improve operations and internal controls over financial reporting related to revenue recognition. The IPA’s Audit Principal responded in an email that the IPA had no comments regarding GAO’s report and its findings. Why GAO Did This Study This report presents the results of GAO’s review of the Foundation’s financial statement audit for fiscal year 2024. The Congressional Award Act established the Congressional Award Board to carry out a program to promote excellence among the nation’s youth in the areas of public service, personal development, physical fitness, and expedition or exploration. The Board created the Foundation as a nonprofit corporation to help it carry out this program. The Congressional Award Act, as amended by the Government Reports Elimination Act of 2014, requires the Foundation to obtain an annual financial statement audit from an IPA. The act also includes a provision for GAO to review the audit and report the results to the Congress annually. GAO’s objective was to review the Foundation’s fiscal year 2024 financial statement audit to identify any significant issues it believes require attention. To satisfy this objective, GAO (1) read and considered various documents with respect to the IPA’s independence, objectivity, and qualifications; (2) analyzed key IPA audit documentation; (3) read the Foundation’s financial statements for fiscal years 2024 and 2023, the IPA’s audit report on the these statements, and the IPA’s report on internal control over financial reporting and on compliance and other matters based on its audit; and (4) discussed matters pertinent to its objective with IPA representatives and Foundation management officials. For more information, contact Cheryl E. Clark at clarkce@gao.gov.

What GAO Found In this 10th annual review, GAO found that most federal agencies that could be subject to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended (IAA), have published civil monetary penalty inflation adjustments for 2025 in the Federal Register and reported related information in their 2025 or 2024 agency financial reports (AFR) or equivalent. All 49 agencies GAO reviewed for 2025 correctly calculated the 2025 civil monetary penalty annual inflation adjustment amounts. However, one agency did not publish its inflation adjustment in the Federal Register as of December 31, 2025, and did not report the required information in its 2025 AFR for its civil monetary penalties. Why GAO Did This Study The IAA includes a provision, added in 2015, for GAO to annually submit to Congress a report assessing agencies' compliance with the annual inflation adjustments the act requires. For more information, please contact Paula M. Rascona at rasconap@gao.gov.

What GAO Found The Department of Defense’s (DOD) Defense Suicide Prevention Office (DSPO) is responsible for suicide prevention efforts across the department, but it lacks information to monitor DOD-wide completion of required suicide prevention training. Specifically, a DSPO official told GAO the office does not receive data from the military services on whether they are completing the training. Requiring the services to report their training completion rates would give DSPO data needed to make informed decisions as it oversees training and develops DOD-wide suicide prevention policies. In addition, the military services’ headquarters suicide prevention offices generally do not effectively monitor training completion for their service members. The Army, Navy, and Marine Corps offices do not regularly track required annual training completion and only the National Guard Bureau takes action to help ensure training completion. Addressing these issues would help the service headquarters offices ensure training and service-specific learning objectives are reaching the military community as intended. Examples of Learning Objectives from Military Services’ Suicide Prevention Trainings, as of 2025 The military services have also not fully assessed the effectiveness of their suicide prevention training. Most of the services have taken steps to do so. For example, the Army, Marine Corps, and Air Force have surveys for some annual trainings. But these and other efforts have not fully assessed training effectiveness, such as by identifying the extent to which expected outcomes have been achieved. Developing and implementing evaluation plans would help the services ensure a systematic approach to assessment and determine if trainings are achieving intended outcomes, such as recognizing risk factors for suicide. DOD has made progress implementing certain training-related recommendations from the Suicide Prevention and Response Independent Review Committee, but uncertainties exist for future efforts. DOD has begun addressing the committee’s recommendations, including 18 on nonclinical training. However, GAO found that DOD’s ability to continue these efforts is uncertain given recent changes in staffing levels and pending decisions on combining suicide prevention training with other trainings. By using an iterative process to regularly update its project plans to account for and mitigate these uncertainties, DOD would be better positioned to effectively assess risks and manage resources. Why GAO Did This Study Suicide rates for active-duty service members have gradually increased since 2011, according to DOD. DOD’s latest data show that in 2024, 471 service members died by suicide. Suicide prevention training can increase awareness of risk factors and provide resources for intervention, among other things. However, recent GAO and DOD reports have identified gaps in DOD’s implementation of suicide prevention activities, including training. House Report 118-125 includes a provision for GAO to assess DOD’s suicide prevention training. This report examines (1) DSPO and the military services’ monitoring of suicide prevention training completion; (2) the military services’ assessment of training effectiveness; and (3) DOD’s steps to address an independent review committee’s training-related recommendations. GAO reviewed DOD policies, procedures, and other documentation on suicide prevention training; analyzed fiscal years 2020–2024 data on training completion; assessed DOD-wide evaluation procedures against federal standards; and interviewed officials.

This report was submitted to the Acting Comptroller General in accordance with Section 5 of the Government Accountability Office (GAO) Act of 2008. The report summarizes the activities of GAO's Office of Inspector General (OIG) for the 6-month reporting period ending March 31, 2026. During this reporting period, the OIG closed 18 GAO related investigations, opened nine new GAO related investigations, and processed 51 substantive hotline complaints. The OIG also continued work on five engagements and initiated four engagements. For the first time, the OIG will operate under a new Comptroller General, and the type of support that the OIG received from the previous Comptroller General is not assured. With the support of current GAO leadership, the OIG continues to seek a budget floor in fiscal year 2027, so the OIG can keep Congress and future Comptroller Generals fully and currently informed about issues and deficiencies relating to the administration of GAO programs and operations. For more information, contact the OIG at oig@gao.gov.

What GAO Found The Department of Energy’s (DOE) Office of Environmental Management (EM) has become further understaffed since GAO reported on EM’s workforce challenges in July 2024. From fiscal year (FY) 2023 through FY 2025, total staff decreased by 33 percent, from 1,272 to 856. This created an overall vacancy rate of 45 percent as of the end of FY 2025, based on a staffing need of 1,515 full-time employees that EM identified in FY 2023. This understaffing includes shortages in mission-critical occupations that are integral to carrying out EM’s mission, which includes addressing contaminated buildings, soil, and groundwater, and treating radioactive waste. Federal Staff in Selected Mission-Critical Occupations at the Department of Energy’s Office of Environmental Management (EM), End of Fiscal Year (FY) 2025 Occupational group Onboard staff Separations in 2025 Vacancies Vacancy rate (based on FY23 need) Retirement eligibility rate by 2030 General Engineering 174 69 179 51% 31% (54) Nuclear Engineering 19 14 23 55% 42% (8) General Physical Science 117 55 51 30% 35% (41) Source: GAO analysis of Department of Energy and EM information. | GAO-26-108674 EM experienced high attrition in FY 2025. Most staff left through the Deferred Resignation Program (DRP), and attrition will likely remain high, according to EM data. Of the 409 staff who left EM in FY 2025, 76 percent (312) separated through the DRP. Almost half (180) were in mission-critical occupations. EM’s remaining workforce is aging. EM’s data indicate that, as of the end of FY 2025, 35 percent of EM’s remaining staff, and 30 percent in mission-critical occupations, will be eligible for retirement by 2030. According to officials, EM plans to hire about 174 new staff in FY 2026, based on its FY 2026 budget, to help offset staffing gaps. As of March 2026, officials said EM is reassessing staffing needs and did not plan to change work scopes to match any potential changes in workforce numbers while considering reorganization. A reduction in identified staffing needs would eliminate some vacant positions, according to officials. In July 2024, GAO reported that EM’s levels of understaffing and workforce management challenges had caused schedule delays, cost overruns, and workplace accidents. These events all affected EM’s mission to clean up nuclear waste, according to DOE assessments. GAO concluded that without efforts to address workforce challenges, severe staffing shortages threatened EM’s ability to meet its mission. Why GAO Did This Study EM relies on federal staff to oversee its nuclear waste cleanup, which is the result of decades of nuclear weapons production and research at locations across the country. Since January 2025, several executive orders, memoranda, and related programs have affected EM’s workforce. GAO was asked to provide updated information on the EM workforce data that it had reported in July 2024 in GAO-24-106479. This report describes EM’s workforce capacity including the composition and attrition rates as of the end of FY 2025. GAO reviewed agency documents, analyzed EM’s human capital data for fiscal years 2023 through 2025, and interviewed EM officials.

What GAO Found The Export-Import Bank of the United States (EXIM) has generally monitored and evaluated the effectiveness of its fraud prevention activities in accordance with GAO’s leading practices. For example, EXIM surveys internal stakeholders, such as program managers and loan officers, to evaluate its fraud risk assessments. However, EXIM does not fully engage with external stakeholders to inform its fraud risk management activities, as called for in leading practices. EXIM works with external stakeholders, such as lenders and export credit insurance partners, to process transactions that carry EXIM’s guarantees. These stakeholders have antifraud responsibilities, but EXIM does not involve them in its fraud risk assessment process. EXIM officials explained they do not think it is feasible to include these external stakeholders in the risk assessment process, or in the evaluation of those assessments, as there are many external stakeholders of varying sizes and types. By not engaging with external stakeholders, EXIM is not well positioned to fully understand the landscape of fraud risks and vulnerabilities facing the agency, such as risks posed by tariff evasion and the malicious use of artificial intelligence, therefore putting taxpayers at risk. Further, EXIM collects information about potential fraud from internal loan officers to inform real-time monitoring efforts across its programs, but EXIM does not collect such information from external stakeholders (see fig. on the types and impacts of potential fraud at EXIM). According to leading practices, program managers should collect information from external stakeholders for real-time monitoring of fraud trends. By not collecting this information, EXIM is missing opportunities to proactively address fraud risks. Types and Impacts of Potential Fraud at Export-Import Bank of the United States GAO also reviewed EXIM transaction data from January 1, 2022, to June 30, 2025, to determine if entities that were banned from receiving federal assistance were present in the transaction data. GAO’s analysis did not identify any excluded parties within the EXIM transaction data during that period. Why GAO Did This Study EXIM’s mission is to support American jobs by facilitating the export of U.S. goods and services. Taxpayers could be responsible for losses arising from EXIM’s operations, including losses due to fraud. Congress included a provision in statute for GAO to periodically review EXIM’s antifraud controls. This report assesses the extent to which (1) EXIM has monitored and evaluated its fraud risk management activities and engaged its stakeholders in the monitoring process; and (2) excluded parties can be identified in EXIM’s transaction data from January 1, 2022, to June 30, 2025. GAO reviewed EXIM’s activities against relevant leading practices for fraud risk management identified by GAO, reviewed EXIM documentation, and interviewed EXIM managers and select external stakeholders responsible for fraud risk management. GAO selected external stakeholders to obtain a range of perspectives and based the selection on a variety of considerations including geographic location, asset size, the length of time associated with EXIM, and the number of active transactions. GAO also reviewed EXIM transaction data from January 1, 2022, to June 30, 2025.

What GAO Found A 2018 law generally prohibits executive agencies from procuring telecommunications and video surveillance equipment produced by certain companies, or their subsidiaries and affiliates, linked to the People’s Republic of China (referred to as “covered equipment”). Agencies are not prohibited from using covered equipment procured prior to this prohibition. Officials from four of six selected agencies—the Departments of Homeland Security, Justice, State, and Treasury—told GAO they did not identify any covered equipment connected to their IT networks. The Departments of Defense (DOD) and Energy reported finding little covered equipment in recent searches and having efforts underway to address potential risks. For example, DOD officials identified three instances of covered equipment connected to its network and confirmed the devices have been blocked from external access while DOD acts to remove them. All six selected agencies have used a combination of methods to search for covered equipment since 2019. Each method has benefits and limitations. For example, IT network scans may not scan agencies’ entire IT networks, including classified networks. Methods Selected Agencies Have Used to Search for Covered Equipment, 2019– December 2025 Agency IT hardware asset inventory searcha IT network scanb Procurement record search Physical search Department of Defense X X – X Department of Energy X X – – Department of Homeland Security X X X – Department of Justice X X X – Department of State X X – – Department of the Treasury X X X – Source: GAO analysis of agency responses. | GAO-26-107668 Note: “Covered equipment” refers to “covered telecommunications equipment” as defined by the John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 889(f)(3), 132 Stat. 1636, 1918 (2018). aIT hardware asset inventories are records of IT hardware assets owned by an agency. bIT network scans use software to identify devices active on an IT network. Officials at some of the selected agencies cited limited visibility into product supply chains as a challenge in identifying covered equipment. For example, one agency official noted that manufacturers were reluctant to share proprietary information about their supply chains, thereby limiting the agency’s ability to determine whether devices in its inventory contained components produced by covered entities. Some officials said the lack of comprehensive, authoritative information on companies’ subsidiaries and affiliates also posed a challenge. However, officials noted that such information would be accurate only at the time it was developed, because companies may change their names or acquire or divest subsidiaries and affiliates. Why GAO Did This Study The federal government depends on a complex network of telecommunications and video surveillance equipment to support operations and communicate with the public. Foreign adversaries may seek to exploit vulnerabilities in this equipment. According to the Office of the Director of National Intelligence, China poses the most active and persistent cyber threat to the federal government. GAO was asked to review issues related to federal agencies’ use of covered equipment. This report examines (1) the amount of covered equipment selected agencies have identified, and actions the agencies have taken to address risks associated with using the equipment; and (2) the methods selected agencies reported using to search for covered equipment and challenges they have experienced. To conduct this review, GAO selected the six agencies from the Chief Financial Officers Act of 1990 that have organizational entities in the Intelligence Community. GAO obtained and reviewed information (e.g., screenshots of network scans or inventory searches) on selected agencies’ identification of covered equipment, if any, and actions to address associated risks. GAO also reviewed agencies’ policies and procedures for developing and maintaining inventories of hardware assets (i.e., equipment) and compared them with relevant National Institute of Standards and Technology cybersecurity requirements. Further, GAO reviewed documentation and interviewed agency officials about their methods for searching for covered equipment and the challenges they faced in identifying the equipment. For more information, contact Andrew Von Ah at vonaha@gao.gov or Jennifer Franks at franksj@gao.gov.

Why This Matters Companies and organizations are collecting more personal data from Americans than before to improve technologies such as AI. But using and sharing large amounts of data carries security and privacy risks, like breaches of personal information. According to the FBI, Americans reported more than $1.4 billion lost due to personal data breaches in 2024. Privacy enhancing technologies, or PETs, can help reduce risks associated with collecting, using, and sharing data. Key Takeaways Privacy enhancing technologies are expanding to new datasets and evolving to counteract malicious actors. They also could enable more secure collaboration and research on sensitive information, such as medical records or proprietary company data. Lack of federal guidance, high resource costs, and workforce constraints affect implementation of these technologies and may hinder widespread use. The Technology What is it? Privacy enhancing technologies modify, hide, or process data in ways that make it difficult to access sensitive information. Newer technologies that focus on minimizing shared data and limiting uses are improving the ways data can be used while protecting privacy. They can facilitate global collaboration on research and fraud detection while also reducing privacy risks associated with using and sharing data. For example, these technologies could enable responsible deployment of AI and other applications that are using increasing amounts of personal data, thereby reducing risks to data privacy. How does it work? Privacy enhancing technologies can be categorized by the different ways they protect data (see figure). Data obfuscation hides or changes data to make it more difficult to accurately identify personal information. For example, data elements may be removed from datasets to depersonalize them or data can be randomly added as “noise.” Next-generation encryption processing tools keep data encrypted while in use. For example, AI could analyze encrypted documents, such as medical records, without decrypting them first through a process called homomorphic encryption. Federated analytics and secure multi-party computation allow multiple entities access to parts of datasets, so that if one entity is compromised, the rest of the dataset remains secure. For example, each smartphone can conduct analysis for predictive text applications before manufacturers collect that information, keeping users’ raw data private and decentralized. How Some Privacy Enhancing Technologies Work How mature is it? These technologies are largely mature, and their use is growing for applications such as AI. Some types are more widely used than others. For example, federated analytics are used by many companies to protect consumer privacy while using their data to train predictive text models. Other types of these technologies can require significant computing power and time, making them difficult to adopt and deploy. For example, analyzing data using homomorphic encryption can take up to a million times as long as analyzing unencrypted data. Researchers are exploring how privacy enhancing technologies can be used to maximize the utility of existing datasets. For example, secure multi-party computation could enable secure sharing of protected genetic information, giving researchers more opportunities to collaborate. Opportunities Increase privacy. Limiting access to and obfuscating data results in fewer opportunities for data to leak, which limits opportunities for malicious actors to identify targets and helps mitigate risks in data-driven applications. Make new data sources available. When data remain private, companies can work collaboratively on proprietary or sensitive data that they might not normally share with competitors and outside groups. For example, banks can safely share information with foreign companies to identify fraud across borders. Researchers can more readily collaborate on sensitive data, like medical records, when those data are protected. Challenges Reliability. Some of these technologies, such as data obfuscation, may reveal data in certain cases. Malicious actors are using machine learning and other strategies to work around privacy enhancing technologies. Resource and skill demands. Some privacy enhancing technologies, such as homomorphic encryption, require more time and other resources than traditional data protection systems. Deploying these technologies effectively requires skill sets that companies and organizations may not possess. Lack of federal guidance. While the federal government requires certain data to be protected, federal guidance for how or when to use these technologies is limited. This leaves entities uncertain about how to best use them, which could slow adoption across different fields and make implementation difficult or ineffective. Policy Context And Questions What additional steps could the U.S. government and industry take to protect personal data? What is the government’s role, if any, in encouraging wider adoption and implementation of privacy enhancing technologies? How can institutions balance calls for privacy against calls for greater data transparency and accountability for using data collaboratively? Selected GAO Work Artificial Intelligence: OMB Action Needed to Address Privacy-Related Gaps in Federal Guidance, GAO-26-107681. Selected Reference OECD (2023), “Emerging privacy-enhancing technologies: Current regulatory and policy approaches,” OECD Digital Economy Papers, No. 351, OECD Publishing, Paris, https://doi.org/10.1787/bf121be4-en. For more information, contact Sarah Harvey at HarveyS@gao.gov.

What GAO Found Scams are a method of committing fraud that involves the use of deception or manipulation intended to achieve financial gain. Scams generally succeed by manipulating and deceiving victims and often play on their emotions to exploit vulnerabilities. Disaster assistance scams are a type of scam that seeks to take advantage of either disaster survivors or people trying to aid disaster survivors. Examples of Disaster Assistance Scams The prevalence of disaster assistance scams is unknown, due in part to underreporting, but recent surveys—including one by the U.S. Census Bureau—suggest that many individuals encounter scams during disaster recovery. Federal agencies collect complaint data that include allegations of these types of scams. While agencies review complaints to identify where further action, such as investigation, might be appropriate, data limitations prevent accurate estimates on how often these scams occur and how much money is lost. Federal agencies use consumer education to raise awareness and help prevent individuals from becoming victims of disaster assistance scams. Factors hindering enforcement actions against scammers include underreporting of scams. Many disaster assistance scams go unreported to the federal agencies that receive and process complaints. These agencies include disaster response agencies—such as the Federal Emergency Management Agency, Small Business Administration, and Department of Housing and Urban Development—and other agencies, such as the National Center for Disaster Fraud. Disaster assistance scams can go unreported for various reasons, including shame, embarrassment, the belief that reporting will not help, and a lack of awareness about how to report the crime. For those complaints that are reported, there are challenges in prosecuting the disaster assistance scams, such as time and resource constraints, case prioritization, and the sophistication of some international scam operations. Why GAO Did This Study Scams related to disaster assistance pose financial and nonfinancial risks to disaster survivors, communities, and federal programs. Scams have been around for many years, have evolved with technology, and are a growing risk to consumers in the United States and around the world. Disaster assistance scams typically target vulnerable individuals and communities affected by a disaster by preying on desperation and fear, as well as exploiting vulnerabilities which may be heightened following a disaster. Disaster assistance scams can further compound losses incurred from disasters themselves. Each year, disasters such as floods, hurricanes, and wildfires affect hundreds of American communities and millions of people. The resulting federal disaster response—billions of dollars distributed quickly—also attracts scammers. It is likely that as natural disasters increase in frequency, so too will scams related to disaster assistance. GAO performed this work under the American Relief Act, 2025, which included a provision for GAO for audits and investigations related to Hurricanes Helene and Milton, and other disasters declared pursuant to the Robert T. Stafford Disaster Relief and Emergency Assistance Act in calendar years 2023 and 2024. This report provides information about disaster assistance scams and efforts to mitigate them. For more information, contact Rebecca Shea at Shear@gao.gov.

What GAO Found The Department of Homeland Security (DHS) is modernizing its financial management systems for the U.S. Coast Guard, Federal Emergency Management Agency (FEMA), and U.S. Immigration and Customs Enforcement (ICE) through three financial systems modernization programs. Reliable cost estimates and schedule assessments are essential to managing major system modernization efforts. GAO’s review of cost estimates for two of the system modernizations found that one substantially met all four characteristics of a reliable cost estimate; the other substantially met three of four characteristics. Regarding schedule, GAO determined that two program schedules were unreliable. Without a reliable schedule estimate that follows best practices, DHS increases the risk that management will lack key information for making decisions about its programs, including the impact on future program costs. DHS’s guidance and financial systems modernization plans varied in consistency with leading practices for data migration, organizational change management, and lessons learned. Summary of GAO Assessment of DHS Guidance and Financial Systems Modernization Plans Against Leading Practices Leading practice area GAO assessment of DHS and program office guidance GAO assessment of component planning documents Data migration Partially consistent Mostly consistent Organizational change management Consistent Mostly consistent Lessons learned process Mostly consistent –a Legend: Consistent = DHS provided evidence that sufficiently satisfied all relevant criterion; Mostly consistent = DHS provided evidence that sufficiently satisfied more than half of the relevant criterion; Partially consistent = DHS provided sufficient evidence that satisfied less than half of the relevant criterion; Not consistent = DHS did not provide sufficient evidence that satisfied the relevant criterion. Source: GAO analysis of Department of Homeland Security (DHS) documentation. | GAO-26-107863 aFinancial systems modernization programs use guidance to help execute their lessons learned process and apply the lessons in future relevant documentation. Therefore, lessons learned planning documents are not expected. DHS guidance used for financial systems modernization data migration is partially consistent with leading practices, while component planning documents were mostly consistent. Further, for organizational change management some component planning documents lacked details. For example, both Coast Guard and ICE plans incorporated steps to perform a readiness assessment, but neither included analysis of this assessment or metrics to measure change readiness. By not fully incorporating leading practices in both guidance and component planning documentation, DHS increases the risk of data errors, time needed to resolve those errors, potential delays in achieving full operational capability, and limiting users’ ability to effectively operate the system. Why GAO Did This Study In 2003, GAO designated DHS as high risk. In 2023, GAO narrowed this high-risk area to focus on DHS’s IT and financial management. To address its financial management issues, DHS is executing a multiyear plan to implement new financial management systems through acquisition programs. In 2025, GAO reported that much work remains for DHS to complete these modernization efforts. GAO was asked to review DHS’s modernization of financial management systems. This report addresses (1) the extent to which DHS ensured a reliable cost estimate and schedule assessment for two key major modernization efforts; (2) whether DHS’s plans and guidance are consistent with leading practices for data migration, organizational change management, and lessons learned; and (3) whether its plans and guidance describe how DHS used the Coast Guard’s implementation experience to inform plans for FEMA’s and ICE’s efforts. Applying its previously issued guidance, GAO evaluated the cost estimates and schedule assessments for two major DHS system modernizations. GAO also identified applicable criteria and leading practices for data migration, organizational change management, and lessons learned. Using these criteria, GAO evaluated numerous guidance and planning documents. GAO also interviewed numerous DHS officials and Coast Guard, FEMA, and ICE officials.

What GAO Found From October 2018 through May 2025, U.S. Customs and Border Protection (CBP) granted about 2.4 million paroles—temporary permission for a noncitizen to stay in the U.S.—out of its nearly 10.4 million encounters at the southwest border (see figure). Over half were to Mexicans, Cubans, and Venezuelans. CBP Paroles and Encounters at the Southwest Border, October 2018–May 2025 CBP implemented policies in 2021 expanding the use of humanitarian parole to help manage increasing encounters at the southwest border. In July 2021, CBP’s U.S. Border Patrol authorized agents to parole apprehended noncitizens on a case-by-case basis under certain conditions, such as limited immigration detention space. Further, in May 2023, CBP expanded access for noncitizens to use the CBP One mobile application to schedule appointments for CBP Office of Field Operations (OFO) officers to inspect them. Almost all (97 percent) appointments in fiscal years 2023 and 2024 resulted in paroles. Noncitizens paroled under the policies were generally placed in removal proceedings. Since January 2025, Border Patrol and OFO implemented guidance and policies restricting the use of parole and the number of paroles decreased substantially. Once noncitizens are paroled at the southwest border, U.S. Immigration and Customs Enforcement (ICE) is responsible for monitoring them to ensure they adhere to the conditions of their release. For example, ICE may require assurances that they attend their removal proceedings. In January 2025, the Department of Homeland Security (DHS) and ICE issued guidance that emphasized the importance of ICE reviewing these cases to determine whether further enforcement action is appropriate. However, ICE does not have the information it needs to readily identify noncitizens CBP paroled at the southwest border and does not monitor them as required. By obtaining this information from CBP, ICE would be better positioned to monitor these noncitizens, review their cases, and take enforcement action, in accordance with DHS and ICE guidance. Why GAO Did This Study Within DHS, CBP is responsible for securing U.S. borders while facilitating legitimate travel and trade. CBP encounters noncitizens at the southwest border at and between ports of entry. CBP has discretion to grant parole—temporary permission to stay in the U.S.—to noncitizens it encounters for urgent humanitarian reasons or significant public benefit. CBP’s OFO and Border Patrol are responsible for securing the border at and between ports of entry. ICE, also within DHS, is responsible for monitoring paroled noncitizens to ensure they adhere to the conditions of their release. GAO was asked to review CBP’s use of humanitarian parole at the southwest border and ICE’s enforcement efforts for paroled noncitizens. This report examines (1) what CBP data show about the number and characteristics of humanitarian paroles at the southwest border since fiscal year 2019; (2) how CBP has used humanitarian parole in processing noncitizens encountered at the southwest border; and (3) ICE’s monitoring and enforcement efforts related to those noncitizens. GAO analyzed CBP and ICE documents, and CBP data on paroles granted at the southwest border from October 2018 through May 2025. GAO also interviewed officials from (1) CBP and ICE headquarters, (2) selected CBP field locations that collectively granted more than half of paroles over the time period, and (3) selected ICE field offices responsible for monitoring noncitizens.

What GAO Found The Small Business Administration’s (SBA) Disaster Loan Program provides low-interest loans to businesses, nonprofits, homeowners, and renters to help repair, rebuild, and recover from physical and economic losses after a declared disaster. In 2023 and 2024, SBA and the Federal Emergency Management Agency (FEMA) separately adopted rules affecting the program. SBA’s rule expanded options for loan recipients and adjusted program limits to reflect inflation. For example, it increased the maximum loan amount for repairing or replacing a primary residence from $200,000 to $500,000 and extended the loan deferment period from 5 to 12 months. FEMA’s rule removed the requirement that certain disaster survivors apply for an SBA loan—and either be denied or receive only partial funding—before qualifying for some types of FEMA assistance. According to SBA’s guidance, its field operations centers are responsible for outreach materials for declared disasters that affect localized areas. SBA relies on press releases and fact sheets to inform disaster survivors and the media about the Disaster Loan Program. However, field operations centers did not consistently update SBA’s disaster-specific press releases or fact sheets to reflect key components of SBA’s 2023 and FEMA’s 2024 rules. GAO’s analysis of outreach materials for 76 presidentially declared disasters in 2023 and 2024 found that while materials from the two field operations centers were generally similar, they were not consistent in the information they included. For example, both centers included updated loan limits in all post-disaster fact sheets. However, the East Field Operations Center incorporated updated SBA language explaining that survivors could apply for certain FEMA assistance without first applying to SBA in 96 percent of its press releases, compared with 5 percent for the West Field Operations Center. By implementing controls to ensure field operations centers consistently include standardized information in their disaster outreach materials, SBA would have greater assurance that survivors across regions receive key information needed to access resources and manage their recovery. GAO also found that SBA’s 2023 rule addresses some challenges faced by rural and underserved areas in using the Disaster Loan Program. For example, the higher home lending limit could help homeowners and renters in rural areas manage construction costs when demand is high and supplies are limited. Why GAO Did This Study Recent natural disasters highlight the need for federal agencies to deliver assistance efficiently and effectively. In fiscal year 2024, the most recent year for which data were available, SBA’s Disaster Loan Program supported about $1.7 billion in disaster lending at an estimated cost of $341.4 million. That year, SBA approved more than 27,000 direct disaster loans to help borrowers recover from events such as floods, hurricanes, and tornadoes. In 2023 and 2024, SBA and FEMA, respectively, adopted rules that made changes affecting the program. GAO was asked to examine the effects of these rules on the Disaster Loan Program, including changes in SBA’s implementation of the program. This report addresses SBA’s implementation of these rules, including how the agency communicated changes to survivors. GAO reviewed SBA and FEMA rules and analyzed SBA press releases, fact sheets, staffing reports, and recovery center data for disasters declared in 2023 and 2024 to assess how SBA communicated rule changes and allocated resources. GAO also interviewed officials from SBA, FEMA, and local government in five states, selected based on geographic location, loans approved, and funds disbursed, to understand survivor experiences and how the new rules affected rural and underserved communities.