This report was submitted to the Acting Comptroller General in accordance with Section 5 of the Government Accountability Office (GAO) Act of 2008. The report summarizes the activities of GAO's Office of Inspector General (OIG) for the 6-month reporting period ending March 31, 2026. During this reporting period, the OIG closed 18 GAO related investigations, opened nine new GAO related investigations, and processed 51 substantive hotline complaints. The OIG also continued work on five engagements and initiated four engagements. For the first time, the OIG will operate under a new Comptroller General, and the type of support that the OIG received from the previous Comptroller General is not assured. With the support of current GAO leadership, the OIG continues to seek a budget floor in fiscal year 2027, so the OIG can keep Congress and future Comptroller Generals fully and currently informed about issues and deficiencies relating to the administration of GAO programs and operations. For more information, contact the OIG at oig@gao.gov.

What GAO Found The Department of Energy’s (DOE) Office of Environmental Management (EM) has become further understaffed since GAO reported on EM’s workforce challenges in July 2024. From fiscal year (FY) 2023 through FY 2025, total staff decreased by 33 percent, from 1,272 to 856. This created an overall vacancy rate of 45 percent as of the end of FY 2025, based on a staffing need of 1,515 full-time employees that EM identified in FY 2023. This understaffing includes shortages in mission-critical occupations that are integral to carrying out EM’s mission, which includes addressing contaminated buildings, soil, and groundwater, and treating radioactive waste. Federal Staff in Selected Mission-Critical Occupations at the Department of Energy’s Office of Environmental Management (EM), End of Fiscal Year (FY) 2025 Occupational group Onboard staff Separations in 2025 Vacancies Vacancy rate (based on FY23 need) Retirement eligibility rate by 2030 General Engineering 174 69 179 51% 31% (54) Nuclear Engineering 19 14 23 55% 42% (8) General Physical Science 117 55 51 30% 35% (41) Source: GAO analysis of Department of Energy and EM information. | GAO-26-108674 EM experienced high attrition in FY 2025. Most staff left through the Deferred Resignation Program (DRP), and attrition will likely remain high, according to EM data. Of the 409 staff who left EM in FY 2025, 76 percent (312) separated through the DRP. Almost half (180) were in mission-critical occupations. EM’s remaining workforce is aging. EM’s data indicate that, as of the end of FY 2025, 35 percent of EM’s remaining staff, and 30 percent in mission-critical occupations, will be eligible for retirement by 2030. According to officials, EM plans to hire about 174 new staff in FY 2026, based on its FY 2026 budget, to help offset staffing gaps. As of March 2026, officials said EM is reassessing staffing needs and did not plan to change work scopes to match any potential changes in workforce numbers while considering reorganization. A reduction in identified staffing needs would eliminate some vacant positions, according to officials. In July 2024, GAO reported that EM’s levels of understaffing and workforce management challenges had caused schedule delays, cost overruns, and workplace accidents. These events all affected EM’s mission to clean up nuclear waste, according to DOE assessments. GAO concluded that without efforts to address workforce challenges, severe staffing shortages threatened EM’s ability to meet its mission. Why GAO Did This Study EM relies on federal staff to oversee its nuclear waste cleanup, which is the result of decades of nuclear weapons production and research at locations across the country. Since January 2025, several executive orders, memoranda, and related programs have affected EM’s workforce. GAO was asked to provide updated information on the EM workforce data that it had reported in July 2024 in GAO-24-106479. This report describes EM’s workforce capacity including the composition and attrition rates as of the end of FY 2025. GAO reviewed agency documents, analyzed EM’s human capital data for fiscal years 2023 through 2025, and interviewed EM officials.

What GAO Found The Export-Import Bank of the United States (EXIM) has generally monitored and evaluated the effectiveness of its fraud prevention activities in accordance with GAO’s leading practices. For example, EXIM surveys internal stakeholders, such as program managers and loan officers, to evaluate its fraud risk assessments. However, EXIM does not fully engage with external stakeholders to inform its fraud risk management activities, as called for in leading practices. EXIM works with external stakeholders, such as lenders and export credit insurance partners, to process transactions that carry EXIM’s guarantees. These stakeholders have antifraud responsibilities, but EXIM does not involve them in its fraud risk assessment process. EXIM officials explained they do not think it is feasible to include these external stakeholders in the risk assessment process, or in the evaluation of those assessments, as there are many external stakeholders of varying sizes and types. By not engaging with external stakeholders, EXIM is not well positioned to fully understand the landscape of fraud risks and vulnerabilities facing the agency, such as risks posed by tariff evasion and the malicious use of artificial intelligence, therefore putting taxpayers at risk. Further, EXIM collects information about potential fraud from internal loan officers to inform real-time monitoring efforts across its programs, but EXIM does not collect such information from external stakeholders (see fig. on the types and impacts of potential fraud at EXIM). According to leading practices, program managers should collect information from external stakeholders for real-time monitoring of fraud trends. By not collecting this information, EXIM is missing opportunities to proactively address fraud risks. Types and Impacts of Potential Fraud at Export-Import Bank of the United States GAO also reviewed EXIM transaction data from January 1, 2022, to June 30, 2025, to determine if entities that were banned from receiving federal assistance were present in the transaction data. GAO’s analysis did not identify any excluded parties within the EXIM transaction data during that period. Why GAO Did This Study EXIM’s mission is to support American jobs by facilitating the export of U.S. goods and services. Taxpayers could be responsible for losses arising from EXIM’s operations, including losses due to fraud. Congress included a provision in statute for GAO to periodically review EXIM’s antifraud controls. This report assesses the extent to which (1) EXIM has monitored and evaluated its fraud risk management activities and engaged its stakeholders in the monitoring process; and (2) excluded parties can be identified in EXIM’s transaction data from January 1, 2022, to June 30, 2025. GAO reviewed EXIM’s activities against relevant leading practices for fraud risk management identified by GAO, reviewed EXIM documentation, and interviewed EXIM managers and select external stakeholders responsible for fraud risk management. GAO selected external stakeholders to obtain a range of perspectives and based the selection on a variety of considerations including geographic location, asset size, the length of time associated with EXIM, and the number of active transactions. GAO also reviewed EXIM transaction data from January 1, 2022, to June 30, 2025.

What GAO Found A 2018 law generally prohibits executive agencies from procuring telecommunications and video surveillance equipment produced by certain companies, or their subsidiaries and affiliates, linked to the People’s Republic of China (referred to as “covered equipment”). Agencies are not prohibited from using covered equipment procured prior to this prohibition. Officials from four of six selected agencies—the Departments of Homeland Security, Justice, State, and Treasury—told GAO they did not identify any covered equipment connected to their IT networks. The Departments of Defense (DOD) and Energy reported finding little covered equipment in recent searches and having efforts underway to address potential risks. For example, DOD officials identified three instances of covered equipment connected to its network and confirmed the devices have been blocked from external access while DOD acts to remove them. All six selected agencies have used a combination of methods to search for covered equipment since 2019. Each method has benefits and limitations. For example, IT network scans may not scan agencies’ entire IT networks, including classified networks. Methods Selected Agencies Have Used to Search for Covered Equipment, 2019– December 2025 Agency IT hardware asset inventory searcha IT network scanb Procurement record search Physical search Department of Defense X X – X Department of Energy X X – – Department of Homeland Security X X X – Department of Justice X X X – Department of State X X – – Department of the Treasury X X X – Source: GAO analysis of agency responses. | GAO-26-107668 Note: “Covered equipment” refers to “covered telecommunications equipment” as defined by the John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 889(f)(3), 132 Stat. 1636, 1918 (2018). aIT hardware asset inventories are records of IT hardware assets owned by an agency. bIT network scans use software to identify devices active on an IT network. Officials at some of the selected agencies cited limited visibility into product supply chains as a challenge in identifying covered equipment. For example, one agency official noted that manufacturers were reluctant to share proprietary information about their supply chains, thereby limiting the agency’s ability to determine whether devices in its inventory contained components produced by covered entities. Some officials said the lack of comprehensive, authoritative information on companies’ subsidiaries and affiliates also posed a challenge. However, officials noted that such information would be accurate only at the time it was developed, because companies may change their names or acquire or divest subsidiaries and affiliates. Why GAO Did This Study The federal government depends on a complex network of telecommunications and video surveillance equipment to support operations and communicate with the public. Foreign adversaries may seek to exploit vulnerabilities in this equipment. According to the Office of the Director of National Intelligence, China poses the most active and persistent cyber threat to the federal government. GAO was asked to review issues related to federal agencies’ use of covered equipment. This report examines (1) the amount of covered equipment selected agencies have identified, and actions the agencies have taken to address risks associated with using the equipment; and (2) the methods selected agencies reported using to search for covered equipment and challenges they have experienced. To conduct this review, GAO selected the six agencies from the Chief Financial Officers Act of 1990 that have organizational entities in the Intelligence Community. GAO obtained and reviewed information (e.g., screenshots of network scans or inventory searches) on selected agencies’ identification of covered equipment, if any, and actions to address associated risks. GAO also reviewed agencies’ policies and procedures for developing and maintaining inventories of hardware assets (i.e., equipment) and compared them with relevant National Institute of Standards and Technology cybersecurity requirements. Further, GAO reviewed documentation and interviewed agency officials about their methods for searching for covered equipment and the challenges they faced in identifying the equipment. For more information, contact Andrew Von Ah at vonaha@gao.gov or Jennifer Franks at franksj@gao.gov.

Why This Matters Companies and organizations are collecting more personal data from Americans than before to improve technologies such as AI. But using and sharing large amounts of data carries security and privacy risks, like breaches of personal information. According to the FBI, Americans reported more than $1.4 billion lost due to personal data breaches in 2024. Privacy enhancing technologies, or PETs, can help reduce risks associated with collecting, using, and sharing data. Key Takeaways Privacy enhancing technologies are expanding to new datasets and evolving to counteract malicious actors. They also could enable more secure collaboration and research on sensitive information, such as medical records or proprietary company data. Lack of federal guidance, high resource costs, and workforce constraints affect implementation of these technologies and may hinder widespread use. The Technology What is it? Privacy enhancing technologies modify, hide, or process data in ways that make it difficult to access sensitive information. Newer technologies that focus on minimizing shared data and limiting uses are improving the ways data can be used while protecting privacy. They can facilitate global collaboration on research and fraud detection while also reducing privacy risks associated with using and sharing data. For example, these technologies could enable responsible deployment of AI and other applications that are using increasing amounts of personal data, thereby reducing risks to data privacy. How does it work? Privacy enhancing technologies can be categorized by the different ways they protect data (see figure). Data obfuscation hides or changes data to make it more difficult to accurately identify personal information. For example, data elements may be removed from datasets to depersonalize them or data can be randomly added as “noise.” Next-generation encryption processing tools keep data encrypted while in use. For example, AI could analyze encrypted documents, such as medical records, without decrypting them first through a process called homomorphic encryption. Federated analytics and secure multi-party computation allow multiple entities access to parts of datasets, so that if one entity is compromised, the rest of the dataset remains secure. For example, each smartphone can conduct analysis for predictive text applications before manufacturers collect that information, keeping users’ raw data private and decentralized. How Some Privacy Enhancing Technologies Work How mature is it? These technologies are largely mature, and their use is growing for applications such as AI. Some types are more widely used than others. For example, federated analytics are used by many companies to protect consumer privacy while using their data to train predictive text models. Other types of these technologies can require significant computing power and time, making them difficult to adopt and deploy. For example, analyzing data using homomorphic encryption can take up to a million times as long as analyzing unencrypted data. Researchers are exploring how privacy enhancing technologies can be used to maximize the utility of existing datasets. For example, secure multi-party computation could enable secure sharing of protected genetic information, giving researchers more opportunities to collaborate. Opportunities Increase privacy. Limiting access to and obfuscating data results in fewer opportunities for data to leak, which limits opportunities for malicious actors to identify targets and helps mitigate risks in data-driven applications. Make new data sources available. When data remain private, companies can work collaboratively on proprietary or sensitive data that they might not normally share with competitors and outside groups. For example, banks can safely share information with foreign companies to identify fraud across borders. Researchers can more readily collaborate on sensitive data, like medical records, when those data are protected. Challenges Reliability. Some of these technologies, such as data obfuscation, may reveal data in certain cases. Malicious actors are using machine learning and other strategies to work around privacy enhancing technologies. Resource and skill demands. Some privacy enhancing technologies, such as homomorphic encryption, require more time and other resources than traditional data protection systems. Deploying these technologies effectively requires skill sets that companies and organizations may not possess. Lack of federal guidance. While the federal government requires certain data to be protected, federal guidance for how or when to use these technologies is limited. This leaves entities uncertain about how to best use them, which could slow adoption across different fields and make implementation difficult or ineffective. Policy Context And Questions What additional steps could the U.S. government and industry take to protect personal data? What is the government’s role, if any, in encouraging wider adoption and implementation of privacy enhancing technologies? How can institutions balance calls for privacy against calls for greater data transparency and accountability for using data collaboratively? Selected GAO Work Artificial Intelligence: OMB Action Needed to Address Privacy-Related Gaps in Federal Guidance, GAO-26-107681. Selected Reference OECD (2023), “Emerging privacy-enhancing technologies: Current regulatory and policy approaches,” OECD Digital Economy Papers, No. 351, OECD Publishing, Paris, https://doi.org/10.1787/bf121be4-en. For more information, contact Sarah Harvey at HarveyS@gao.gov.

What GAO Found Scams are a method of committing fraud that involves the use of deception or manipulation intended to achieve financial gain. Scams generally succeed by manipulating and deceiving victims and often play on their emotions to exploit vulnerabilities. Disaster assistance scams are a type of scam that seeks to take advantage of either disaster survivors or people trying to aid disaster survivors. Examples of Disaster Assistance Scams The prevalence of disaster assistance scams is unknown, due in part to underreporting, but recent surveys—including one by the U.S. Census Bureau—suggest that many individuals encounter scams during disaster recovery. Federal agencies collect complaint data that include allegations of these types of scams. While agencies review complaints to identify where further action, such as investigation, might be appropriate, data limitations prevent accurate estimates on how often these scams occur and how much money is lost. Federal agencies use consumer education to raise awareness and help prevent individuals from becoming victims of disaster assistance scams. Factors hindering enforcement actions against scammers include underreporting of scams. Many disaster assistance scams go unreported to the federal agencies that receive and process complaints. These agencies include disaster response agencies—such as the Federal Emergency Management Agency, Small Business Administration, and Department of Housing and Urban Development—and other agencies, such as the National Center for Disaster Fraud. Disaster assistance scams can go unreported for various reasons, including shame, embarrassment, the belief that reporting will not help, and a lack of awareness about how to report the crime. For those complaints that are reported, there are challenges in prosecuting the disaster assistance scams, such as time and resource constraints, case prioritization, and the sophistication of some international scam operations. Why GAO Did This Study Scams related to disaster assistance pose financial and nonfinancial risks to disaster survivors, communities, and federal programs. Scams have been around for many years, have evolved with technology, and are a growing risk to consumers in the United States and around the world. Disaster assistance scams typically target vulnerable individuals and communities affected by a disaster by preying on desperation and fear, as well as exploiting vulnerabilities which may be heightened following a disaster. Disaster assistance scams can further compound losses incurred from disasters themselves. Each year, disasters such as floods, hurricanes, and wildfires affect hundreds of American communities and millions of people. The resulting federal disaster response—billions of dollars distributed quickly—also attracts scammers. It is likely that as natural disasters increase in frequency, so too will scams related to disaster assistance. GAO performed this work under the American Relief Act, 2025, which included a provision for GAO for audits and investigations related to Hurricanes Helene and Milton, and other disasters declared pursuant to the Robert T. Stafford Disaster Relief and Emergency Assistance Act in calendar years 2023 and 2024. This report provides information about disaster assistance scams and efforts to mitigate them. For more information, contact Rebecca Shea at Shear@gao.gov.

What GAO Found The Department of Homeland Security (DHS) is modernizing its financial management systems for the U.S. Coast Guard, Federal Emergency Management Agency (FEMA), and U.S. Immigration and Customs Enforcement (ICE) through three financial systems modernization programs. Reliable cost estimates and schedule assessments are essential to managing major system modernization efforts. GAO’s review of cost estimates for two of the system modernizations found that one substantially met all four characteristics of a reliable cost estimate; the other substantially met three of four characteristics. Regarding schedule, GAO determined that two program schedules were unreliable. Without a reliable schedule estimate that follows best practices, DHS increases the risk that management will lack key information for making decisions about its programs, including the impact on future program costs. DHS’s guidance and financial systems modernization plans varied in consistency with leading practices for data migration, organizational change management, and lessons learned. Summary of GAO Assessment of DHS Guidance and Financial Systems Modernization Plans Against Leading Practices Leading practice area GAO assessment of DHS and program office guidance GAO assessment of component planning documents Data migration Partially consistent Mostly consistent Organizational change management Consistent Mostly consistent Lessons learned process Mostly consistent –a Legend: Consistent = DHS provided evidence that sufficiently satisfied all relevant criterion; Mostly consistent = DHS provided evidence that sufficiently satisfied more than half of the relevant criterion; Partially consistent = DHS provided sufficient evidence that satisfied less than half of the relevant criterion; Not consistent = DHS did not provide sufficient evidence that satisfied the relevant criterion. Source: GAO analysis of Department of Homeland Security (DHS) documentation. | GAO-26-107863 aFinancial systems modernization programs use guidance to help execute their lessons learned process and apply the lessons in future relevant documentation. Therefore, lessons learned planning documents are not expected. DHS guidance used for financial systems modernization data migration is partially consistent with leading practices, while component planning documents were mostly consistent. Further, for organizational change management some component planning documents lacked details. For example, both Coast Guard and ICE plans incorporated steps to perform a readiness assessment, but neither included analysis of this assessment or metrics to measure change readiness. By not fully incorporating leading practices in both guidance and component planning documentation, DHS increases the risk of data errors, time needed to resolve those errors, potential delays in achieving full operational capability, and limiting users’ ability to effectively operate the system. Why GAO Did This Study In 2003, GAO designated DHS as high risk. In 2023, GAO narrowed this high-risk area to focus on DHS’s IT and financial management. To address its financial management issues, DHS is executing a multiyear plan to implement new financial management systems through acquisition programs. In 2025, GAO reported that much work remains for DHS to complete these modernization efforts. GAO was asked to review DHS’s modernization of financial management systems. This report addresses (1) the extent to which DHS ensured a reliable cost estimate and schedule assessment for two key major modernization efforts; (2) whether DHS’s plans and guidance are consistent with leading practices for data migration, organizational change management, and lessons learned; and (3) whether its plans and guidance describe how DHS used the Coast Guard’s implementation experience to inform plans for FEMA’s and ICE’s efforts. Applying its previously issued guidance, GAO evaluated the cost estimates and schedule assessments for two major DHS system modernizations. GAO also identified applicable criteria and leading practices for data migration, organizational change management, and lessons learned. Using these criteria, GAO evaluated numerous guidance and planning documents. GAO also interviewed numerous DHS officials and Coast Guard, FEMA, and ICE officials.

What GAO Found From October 2018 through May 2025, U.S. Customs and Border Protection (CBP) granted about 2.4 million paroles—temporary permission for a noncitizen to stay in the U.S.—out of its nearly 10.4 million encounters at the southwest border (see figure). Over half were to Mexicans, Cubans, and Venezuelans. CBP Paroles and Encounters at the Southwest Border, October 2018–May 2025 CBP implemented policies in 2021 expanding the use of humanitarian parole to help manage increasing encounters at the southwest border. In July 2021, CBP’s U.S. Border Patrol authorized agents to parole apprehended noncitizens on a case-by-case basis under certain conditions, such as limited immigration detention space. Further, in May 2023, CBP expanded access for noncitizens to use the CBP One mobile application to schedule appointments for CBP Office of Field Operations (OFO) officers to inspect them. Almost all (97 percent) appointments in fiscal years 2023 and 2024 resulted in paroles. Noncitizens paroled under the policies were generally placed in removal proceedings. Since January 2025, Border Patrol and OFO implemented guidance and policies restricting the use of parole and the number of paroles decreased substantially. Once noncitizens are paroled at the southwest border, U.S. Immigration and Customs Enforcement (ICE) is responsible for monitoring them to ensure they adhere to the conditions of their release. For example, ICE may require assurances that they attend their removal proceedings. In January 2025, the Department of Homeland Security (DHS) and ICE issued guidance that emphasized the importance of ICE reviewing these cases to determine whether further enforcement action is appropriate. However, ICE does not have the information it needs to readily identify noncitizens CBP paroled at the southwest border and does not monitor them as required. By obtaining this information from CBP, ICE would be better positioned to monitor these noncitizens, review their cases, and take enforcement action, in accordance with DHS and ICE guidance. Why GAO Did This Study Within DHS, CBP is responsible for securing U.S. borders while facilitating legitimate travel and trade. CBP encounters noncitizens at the southwest border at and between ports of entry. CBP has discretion to grant parole—temporary permission to stay in the U.S.—to noncitizens it encounters for urgent humanitarian reasons or significant public benefit. CBP’s OFO and Border Patrol are responsible for securing the border at and between ports of entry. ICE, also within DHS, is responsible for monitoring paroled noncitizens to ensure they adhere to the conditions of their release. GAO was asked to review CBP’s use of humanitarian parole at the southwest border and ICE’s enforcement efforts for paroled noncitizens. This report examines (1) what CBP data show about the number and characteristics of humanitarian paroles at the southwest border since fiscal year 2019; (2) how CBP has used humanitarian parole in processing noncitizens encountered at the southwest border; and (3) ICE’s monitoring and enforcement efforts related to those noncitizens. GAO analyzed CBP and ICE documents, and CBP data on paroles granted at the southwest border from October 2018 through May 2025. GAO also interviewed officials from (1) CBP and ICE headquarters, (2) selected CBP field locations that collectively granted more than half of paroles over the time period, and (3) selected ICE field offices responsible for monitoring noncitizens.

What GAO Found The Small Business Administration’s (SBA) Disaster Loan Program provides low-interest loans to businesses, nonprofits, homeowners, and renters to help repair, rebuild, and recover from physical and economic losses after a declared disaster. In 2023 and 2024, SBA and the Federal Emergency Management Agency (FEMA) separately adopted rules affecting the program. SBA’s rule expanded options for loan recipients and adjusted program limits to reflect inflation. For example, it increased the maximum loan amount for repairing or replacing a primary residence from $200,000 to $500,000 and extended the loan deferment period from 5 to 12 months. FEMA’s rule removed the requirement that certain disaster survivors apply for an SBA loan—and either be denied or receive only partial funding—before qualifying for some types of FEMA assistance. According to SBA’s guidance, its field operations centers are responsible for outreach materials for declared disasters that affect localized areas. SBA relies on press releases and fact sheets to inform disaster survivors and the media about the Disaster Loan Program. However, field operations centers did not consistently update SBA’s disaster-specific press releases or fact sheets to reflect key components of SBA’s 2023 and FEMA’s 2024 rules. GAO’s analysis of outreach materials for 76 presidentially declared disasters in 2023 and 2024 found that while materials from the two field operations centers were generally similar, they were not consistent in the information they included. For example, both centers included updated loan limits in all post-disaster fact sheets. However, the East Field Operations Center incorporated updated SBA language explaining that survivors could apply for certain FEMA assistance without first applying to SBA in 96 percent of its press releases, compared with 5 percent for the West Field Operations Center. By implementing controls to ensure field operations centers consistently include standardized information in their disaster outreach materials, SBA would have greater assurance that survivors across regions receive key information needed to access resources and manage their recovery. GAO also found that SBA’s 2023 rule addresses some challenges faced by rural and underserved areas in using the Disaster Loan Program. For example, the higher home lending limit could help homeowners and renters in rural areas manage construction costs when demand is high and supplies are limited. Why GAO Did This Study Recent natural disasters highlight the need for federal agencies to deliver assistance efficiently and effectively. In fiscal year 2024, the most recent year for which data were available, SBA’s Disaster Loan Program supported about $1.7 billion in disaster lending at an estimated cost of $341.4 million. That year, SBA approved more than 27,000 direct disaster loans to help borrowers recover from events such as floods, hurricanes, and tornadoes. In 2023 and 2024, SBA and FEMA, respectively, adopted rules that made changes affecting the program. GAO was asked to examine the effects of these rules on the Disaster Loan Program, including changes in SBA’s implementation of the program. This report addresses SBA’s implementation of these rules, including how the agency communicated changes to survivors. GAO reviewed SBA and FEMA rules and analyzed SBA press releases, fact sheets, staffing reports, and recovery center data for disasters declared in 2023 and 2024 to assess how SBA communicated rule changes and allocated resources. GAO also interviewed officials from SBA, FEMA, and local government in five states, selected based on geographic location, loans approved, and funds disbursed, to understand survivor experiences and how the new rules affected rural and underserved communities.

What GAO Found The Air Force has three maintenance depots that maintain the readiness of aircraft required for military operations. Depot maintenance delays have increased considerably since fiscal year 2019, whether measured by the original target completion date set before aircraft arrive at the depot or the revised target completion date that accounts for unplanned work found during maintenance. Percentage of Air Force Aircraft Delayed During Depot Maintenance, Fiscal Years 2019–2024 The Air Force tracks depot maintenance timeliness for both original and revised target completion dates but primarily uses the revised target for reporting on its performance.GAO found several limitations associated with the Air Force’s reporting on depot timeliness. For example: Reporting on the revised target masks the full extent of delays because it does not reflect unplanned work. Depots frequently revised targets after they completed maintenance to match the actual number of days it took to complete maintenance. Depots and aircraft program offices inconsistently apply the target completion date revision process. As a result, the Air Force is not reporting the full extent of depot maintenance challenges and may not be able to make accurate comparisons across the fleet. While all three depots have filled 90 percent or more positions since 2020, they have experienced shortages in specific occupations. According to depot officials, pay competition with the private sector is the primary challenge in recruiting and retaining personnel in occupations such as engineers and mechanics. The depots have taken some steps to mitigate this challenge by selectively using incentives and emphasizing the nonfinancial benefits of a federal career. However, the Air Force has not fully addressed pay competition with the private sector because DOD has not conducted a comprehensive assessment of pay gaps for occupations affected by private sector competition. Such an assessment would enable the depots to make informed decisions to address competition with the private sector for occupations critical to aircraft readiness. Why GAO Did This Study More than 2 decades of conflict has degraded the Air Force’s readiness, with wide-ranging effects on aircraft from continuous deployments. The Air Force is working to rebuild its readiness, in part by modernizing its maintenance depots to sustain an increasingly aging fleet. The Air Force’s three maintenance depots, also known as Air Logistics Complexes (ALC) are: Ogden ALC, Oklahoma City ALC, and Warner Robins ALC. Senate Report 118-188 accompanying a bill for the National Defense Authorization Act for Fiscal Year 2025 includes a provision for GAO to assess maintenance and staffing at the three ALCs. This report assesses, among other things, the extent to which the Air Force has completed aircraft depot maintenance on time and addressed any staffing challenges at the depots. GAO analyzed Air Force maintenance and staffing data; interviewed Department of Defense and Air Force officials; and conducted site visits to all three ALCs.

What GAO Found The Financial Data Transparency Act (FDTA) was enacted in December 2022 with the intent of eventually reducing the private sector’s regulatory compliance burden while enhancing transparency and accountability. The FDTA requires agencies that regulate the financial sector to create a set of joint data standards to ultimately help harmonize future reporting by promoting data sharing among financial regulators. Implementation of the FDTA requirements is in the early stages of the rulemaking process, with regulatory agencies working to finalize an August 2024 proposed rule. Subsequently, most regulatory agencies are required to issue their own regulations to implement the joint data standards. The agency officials and stakeholders GAO spoke with identified potential benefits, costs, and challenges of implementing the FDTA. Potential benefits of implementation  Standardized data reporting, as well as the interoperability of data collected by different agencies, could improve the quality and efficiency of data analysis by regulators.  More efficient data analysis could in turn improve oversight and more timely identification of compliance concerns.  Common standards for reporting within the framework set forth by the FDTA could reduce reporting entities’ burden by making filing financial reports across multiple regulatory agencies more efficient. Potential challenges and costs of implementation Regulatory agencies may need to modernize legacy data systems, coordinate across agencies, and manage data governance costs. Reporting entities could incur costs for adapting processes and systems to comply with the FDTA’s updated reporting requirements, as well as conducting system testing. While the FDTA sets forth provisions for the sharing of certain key data elements in the context of financial regulation, there is interest in a broader, government-wide data standard, similar to Standard Business Reporting (SBR) that would reduce the burden on reporting entities while streamlining the reporting process across all government agencies. SBR refers to the government-wide adoption of a common taxonomy, or shared dictionary of data fields, in a way that enables data processing to be automated and data to be gathered from reporting entities and transferred to regulators. While the United States does not currently have SBR, other federal efforts have addressed the streamlining of government data reporting to better ensure its usefulness and improve its quality. Practitioners in the fields of data management, data governance, and regulations told GAO the FDTA could put the United States on a path towards a government-wide reporting system, similar to SBR. GAO’s past work on prior government-wide efforts to establish data standards provide effective practices on interagency collaboration and data governance that can guide regulators at such time as they should seek to build toward a government-wide regulatory standardization mechanism like SBR. Why GAO Did This Study Federal agencies regulate, supervise, and oversee banks, savings associations, credit unions, and financial markets that manage trillions of dollars in deposits and loans. Regulations often require entities to report information to the government to assess compliance and help ensure the soundness of financial markets. GAO has previously reported, however, that these reporting requirements also create burdens on reporting entities, especially if they are reporting the same or similar information to multiple agencies. Congress included a provision in statute for GAO to review the feasibility, costs, and potential benefits of building upon the taxonomy established by the FDTA to arrive at a government-wide regulatory compliance standardization mechanism similar to SBR. This report (1) describes stakeholders’ views on potential benefits, costs, and challenges of the FDTA; and (2) describes effective practices to facilitate future government-wide data standardization efforts and stakeholders’ views on such potential efforts. GAO reviewed documentation and corresponded with officials from nine regulatory agencies involved in implementing the FDTA. GAO met with four practitioner groups knowledgeable about data standards and the FDTA, including private entities that develop software solutions or other products to support data standardization, to understand the technology and their experiences with compliance reporting. GAO also interviewed four groups representing reporting entities, as well as two academic researchers knowledgeable about financial regulatory reform efforts. GAO also reviewed its prior work to identify effective practices in interagency collaboration and data governance structures. For more information, contact Yvonne Jones at jonesy@gao.gov.

What GAO Found The Department of Veterans Affairs (VA) is responsible for securing its facilities. GAO has identified security challenges at VA medical facilities and made recommendations to help manage related risks. In January 2018, for example, GAO found limitations with VA’s risk assessment methodology and recommended VA review and revise its risk management policies to reflect interagency standards, and develop an oversight strategy to assess its facilities’ risk management programs. VA has not yet fully implemented these recommendations as of April 2026. In April 2026, GAO reported that its 2025 covert testing found security vulnerabilities at selected VA facilities. In some cases, VA security measures were not effective. Specifically, VA failed to detect most of GAO’s covert tests related to security vulnerabilities it had previously identified in its risk assessments of its medical facilities. For example: In all 30 tests, VA staff did not detect a prohibited weapon that GAO investigators carried into the VA facilities, including two that had metal detectors. In 25 of 26 tests, VA staff did not confront an investigator drinking in plain view from a bottle labeled vodka—which is generally prohibited at VA facilities. Undercover GAO Investigator Appearing to Drink Alcohol in a VA Medical Facility Taking actions to address GAO recommendations would better provide VA with information it needs to make informed decisions, allocate resources effectively, and prioritize security efforts to create a safe environment for veterans and VA staff. Why GAO Did This Study VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 facilities. VA employees, veteran patients, and medical facilities have been the targets of violence, threats, and other security-related incidents in recent years, including nonviolent crimes such as disorderly conduct and theft. The Interagency Security Committee (ISC)—which VA is a member of— developed a risk management standard that federal agencies must follow to identify and address the types of security vulnerabilities impacting their facilities. GAO has conducted work related to the ISC’s risk management standard and security at VA medical facilities. This statement, based primarily on three reports published from January 2013 to April 2026, discusses challenges VA faces related to the security of its facilities and actions that could help address those challenges, among other issues.

What GAO Found The Department of Defense (DOD) has never achieved an unmodified (“clean”) opinion on its financial statements. Over the last 30 years, DOD's auditors have issued thousands of notices of findings and recommendations and identified associated material weaknesses. In recent years, DOD and its components have made some progress in their remediation efforts by achieving important milestones. For example, the Marine Corps first achieved a clean audit opinion for fiscal year (FY) 2023 and has achieved a clean opinion each subsequent year. DOD’s financial statement audits and related efforts have also resulted in a range of benefits, including cost savings and avoidances, improvements to systems, and enhanced visibility over assets and inventory. These benefits, in turn, support improvements to operations, enhancements to DOD’s overall readiness, and warfighter priorities. After decades of unauditable financial statements and 8 years of undergoing full scope financial audits, DOD is taking a revised approach to achieve its goal of a clean audit opinion by the end of 2028. DOD revised its approach after the DOD Office of Inspector General (OIG) issued a disclaimer of opinion on DOD’s financial statements for FY 2025, meaning that DOD was unable to provide sufficient evidence for DOD OIG to form an opinion. The revised approach includes centralizing coordination, placing increased emphasis on investing in technology (including artificial intelligence), and ensuring evidence supports material account balances, rather than relying on underlying internal controls for producing reliable data. DOD’s Revised Approach to Achieving a Clean Audit Opinion by the End of 2028 Previous approach included Revised approach includes Decentralized response (bottom-up) Centralized coordination (top-down) Focus on correcting control deficiencies Focus on material line items Reliance on internal controls Manual testing of large samples and using artificial intelligence tools, as needed Source: GAO analysis of DOD documentation. | GAO-26-109115 DOD’s renewed focus on auditability is encouraging. However, questions remain about how the revised approach will address DOD’s other longstanding financial management issues and challenges. These include transparency and accountability in audit remediation (monitoring efforts to address overall audit findings); key IT and other material weaknesses; fraud risks; availability of trained financial management resources; and sustainability beyond 2028. These are important for DOD to consider in undertaking its revised approach. Furthermore, this effort is likely to be labor and resource intensive and has important tradeoffs and risks. For example, under this approach, DOD would not prioritize remediating key internal control deficiencies for at least the next 2 years. Addressing these deficiencies is critical for producing reliable, useful, and timely financial information for decision-making. Stronger financial management could help DOD address critical issues such as unfunded priorities, ensuring it spends its funds appropriately, mitigating its fraud risks, and improving operations and readiness. Why GAO Did This Study DOD spends over $1 trillion annually to provide the military forces needed to deter war and to protect the security of the United States. DOD’s spending makes up almost half of the federal government’s total discretionary spending, and its physical assets make up about 82 percent of the federal government’s total physical assets. For FY 2027, the President has requested $1.5 trillion for DOD, a 44 percent increase from FY 2026. DOD’s inability to achieve a clean audit opinion is one of three major impediments preventing GAO from expressing an audit opinion on the U.S. government’s consolidated financial statements. DOD obtaining a clean audit opinion is important for ensuring that its financial statements and underlying financial management information are reliable for decision-making. DOD’s financial management has been on GAO’s High-Risk List since 1995. In 2025, GAO expanded DOD’s financial management high-risk area to include fraud risk management. This testimony discusses (1) DOD’s recent audit progress, realized benefits, and ongoing challenges; and (2) questions and important considerations as DOD implements its revised approach to achieving a clean audit opinion. This statement is primarily based on GAO’s related body of work from 2020 through 2026; details on GAO's methodology can be found in each of the reports cited in this statement. For more information, contact Asif Khan at khana@gao.gov, Vijay D’Souza at dsouzav@gao.gov, or Seto Bagdoyan at bagdoyans@gao.gov.

What GAO Found The Office of Head Start (OHS) provides funding and technical assistance to support Tribal Head Start programs in teaching Native languages and culture. In fiscal year 2024, OHS provided $345 million for Tribal Head Start programs. OHS also provided training to 141 Tribal Head Start programs related to incorporating Native language, culture, and traditions in recent years. Each of the 10 selected Tribal Head Start programs GAO interviewed used immersion, dual language classrooms, or short language lessons to teach Native languages, as allowed by the Head Start Program Performance Standards. Indigenous Cultural Themes Incorporated into a Tribal Head Start Playground OHS offers Tribal Head Start programs flexibilities, training, and technical assistance to help address enrollment concerns. Officials from selected Tribal Head Start programs spoke positively of support from OHS but reported communication challenges with OHS involving timeliness that impacted their use of the flexibilities. For example, to address challenges with hiring or retaining qualified staff, Head Start programs can apply for approval to reduce the number of program seats they are required to fill and may use funds from leftover seats to raise staff wages. In fiscal year 2024, OHS took an average of 199 days to communicate approval decisions to Tribal Head Start programs. OHS reported a new intake process in August 2024. This reduced the average time to 91 days for the nine requests that were submitted after the new process began and were completed as of July 2025. However, 35 requests that were also submitted after the new process began were pending as of September 2025, with time frames ranging from 15 to 308 days. Five of 10 selected Tribal Head Start programs GAO interviewed in 2025 also said they did not receive timely communication from OHS about such requests, and one reported the lack of communication limited its ability to increase teacher compensation. OHS has not identified and addressed the causes of timeliness challenges, reported by selected Tribal Head Start programs, in its communication with the programs related to increasing enrollment. By doing so, OHS could help tribal programs avoid delays in their efforts to improve their enrollment numbers. Why GAO Did This Study According to OHS, Tribal Head Start programs are key to preserving and promoting Native language, culture, and traditions. They also help fulfill the federal government’s trust responsibility to protect the interests of Tribal Nations. Yet, enrollment in Tribal Head Start programs has declined in recent years, from about 26,000 in school year 2018-2019, to about 18,000 children in school year 2023-2024. GAO was asked to review the role of Tribal Head Start programs in promoting Native language and culture as well as their declining enrollment. Among other things, this report examines OHS’s support for tribal programs in teaching Native language and culture and the extent to which OHS helps programs address their enrollment challenges. GAO interviewed a nongeneralizable sample of 10 Tribal Head Start programs. Tribal programs were selected to reflect a variety of regions, experience operating Head Start programs, and enrollment. GAO conducted site visits to eight of the selected programs. GAO also analyzed the most recent OHS data, reviewed relevant federal laws, regulations, and guidance, and interviewed OHS officials.

What GAO Found The Department of Defense (DOD) has periodically assessed its office space needs in the National Capital Region (NCR)—Washington D.C. and surrounding counties in Maryland and Virginia—often relying on usage data. Examples of Large DOD Office Buildings in the National Capital Region In 2025, DOD issued guidance requiring collection of additional data on owned and leased office space usage, including the number of people occupying each workspace. However, GAO found that over half of DOD office spaces in the NCR had not reported occupancy data as of September 2025. Further, some of the submitted data likely included inaccuracies. GAO identified potential data entry errors and outliers in DOD data, and officials stated they were concerned whether data were free from error. Developing actions to enforce its guidance on the collection of occupancy data and establishing a process to ensure accuracy could help equip DOD with the data needed to consolidate unused space and reduce leasing costs. DOD has established processes for entering into lease agreements in the NCR when government-owned space is not feasible but lacks key information for decision-making. For example, although Washington Headquarters Services has coordinated with the military departments on new leases, its inventory of leased office space did not include all DOD leased office space in the NCR, as of January 2026. GAO identified 17 leases executed by the military departments that were not included in the inventory. These leases constituted about 20 percent of leases and comprised over 492,000 square feet. Coordinating leases with the military departments would enable Washington Headquarters Services to better ensure the efficiency and economy of leasing decisions. Washington Headquarters Services also does not have full visibility into the space available on military installations. Officials stated that they have relied on the military departments to coordinate with installations. Officials from the military departments told GAO they do not track or report available space. Establishing in guidance how Washington Headquarters Services is to coordinate with installations on available space, as DOD requires, should help DOD avoid entering into unnecessary leases and reduce costs. Why GAO Did This Study DOD managed about 35 million square feet of DOD-owned or leased office space in the NCR, as of March 2025. DOD’s needs for and use of these spaces are dynamically changing, partly because of the return to in-person work and changing workforce needs. The military departments are responsible for office space on their installations and may also execute leases. Washington Headquarters Services, within DOD, is responsible for space planning and management for office space outside installations and for reviewing leasing requests in the NCR. House Report 118-125 includes a provision for GAO to review how DOD manages its real property needs in the NCR. This report evaluates the extent to which DOD has (1) assessed its office space needs and usage in the NCR and (2) established processes for entering into lease agreements for office space in the NCR. GAO reviewed DOD needs assessments, occupancy data from April to September 2025, and leasing processes; interviewed DOD officials; and visited a non-generalizable sample of DOD-owned and -leased office spaces in the NCR.

What GAO Found Department of Veterans Affairs (VA) police records report around 74,700 crimes at VA medical facilities in fiscal years 2024 and 2025. The overwhelming majority were nonviolent and included disorderly conduct, theft, and drug offenses, according to GAO analysis. GAO found that the average crime rate for the 2-year period was about two times higher in areas with more urban VA facilities (214 crimes per facility) than rural facilities (123 crimes per facility), which is consistent with a Department of Justice report on overall criminal trends. The Interagency Security Committee (ISC)—which VA is a member of—developed a risk management standard that federal agencies are required to follow to identify and address security risks. However, VA has not fully implemented all ISC requirements, such as documenting decisions on which security strategies it will adopt or measuring the performance of its security strategies. In covert tests, VA staff did not detect a prohibited weapon that GAO investigators carried into any of the 30 tested VA medical facilities, including two that had metal detectors. In 25 of 26 covert tests, VA staff did not confront an investigator drinking in plain view from a bottle labeled vodka—which is prohibited at VA facilities. Developing a plan with milestones and assessing resource requirements to fully implement the standard could help VA better manage security risks to create a safe environment for veterans and VA staff. Undercover GAO Investigator Appearing to Drink Alcohol in a VA Medical Facility Consistent with ISC and internal control standards, VA obtains security and threat information and works to address security gaps through its capital planning. VA has a performance goal to address security gaps for capital projects. While VA has met its overall security gap planning goal, two of the 18 regions did not in fiscal years 2023 through 2025 and did not take actions to improve performance. This is because VA headquarters—the entity that tracks each region’s progress—did not communicate to the regions that they were not meeting this goal. Communicating this information to the regions could help VA ensure that it continues to meet this goal. Why GAO Did This Study VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 facilities. These facilities have been the target of violence, threats, and other security-related incidents. VA is responsible for physical security at its medical facilities. GAO was asked to review security at VA medical facilities. This report examines (1) the nature of reported criminal activity at VA medical facilities, (2) the extent VA implemented federal security requirements and detected security vulnerabilities at VA facilities, and (3) VA processes for obtaining and incorporating security and threat information into infrastructure planning. GAO reviewed VA security and infrastructure planning policies, crime data from fiscal years 2024 and 2025, and risk assessment and infrastructure performance data from fiscal years 2023, 2024, and 2025. GAO also conducted covert security tests at a non-generalizable sample of 30 VA facilities, selected to ensure variation in the size and geographic locations of facilities, among other factors. GAO interviewed VA personnel and veterans in Arkansas and California.

What GAO Found Over the past 2 decades, the Commonwealth of the Northern Mariana Islands (CNMI) has experienced significant challenges, including the COVID-19 pandemic, natural disasters, and the loss of its manufacturing sector. These challenges, along with a diminishing workforce, have contributed to its weak economic position. The CNMI-Only Transitional Worker (CW-1) program is a temporary foreign worker permit program CNMI uses to employ foreign workers. GAO determined that these foreign workers in the CNMI remain a major segment of the territory’s employed workers, accounting for approximately one out of three workers on average from 2020 through 2024 (see figure). Share of U.S., Foreign, and Unknown Workers in the Commonwealth of the Northern Mariana Islands (CNMI), Calendar Years 2020–2024 Note: We categorized workers whom we could not identify as U.S. or foreign on the basis of CNMI tax data as “unknown.” Our categorization of these workers is based solely on CNMI tax data and is not a determination based on records underlying the data of whether any individual meets the definition of U.S. worker under the Northern Mariana Islands U.S. Workforce Act of 2018. Percentages shown for 2020, 2022, and 2024 do not sum to 100 because of rounding. Foreign workers are especially important to the territory’s primary industry, tourism, which has struggled to rebound following a 2018 typhoon and the COVID-19 pandemic. According to CNMI officials and business leaders, the CNMI does not have enough U.S. workers to fill current job openings and will continue to require foreign workers as its economy recovers. The CW-1 program is set to expire on December 31, 2029. Officials from the CNMI government, business community, and educational institutions expressed concerns that the end of this program will have severe adverse effects on the economy. However, the extent of these potential effects is unknown. The Department of the Interior (Interior) has been delegated administrative supervision for for managing the U.S. government’s relations with the CNMI, including coordination with other federal agencies, such as the Departments of Homeland Security and Labor. Interior has also previously conducted or contributed to studies assessing different aspects of the CNMI workforce and economy. However, Interior has not conducted a study to assess potential risks to the CNMI workforce and economy associated with the end of the CW-1 program. Interior officials said they have limited resources to conduct such an assessment but agreed it would be beneficial to decision-makers. Congress previously stated its intent to minimize potential adverse economic and fiscal effects of phasing out the CW-1 program. Maintaining economic stability in the CNMI is vital to U.S. interests in the Pacific region. Without assessing the potential risks of ending the CW-1 program and identifying ways to mitigate them, the CNMI, Interior, and Congress will not have the information needed to make decisions regarding how to support the CNMI economy when the CW-1 program ends after December 31, 2029. Why GAO Did This Study The CNMI is a U.S. territory that consists of 14 islands in the western Pacific Ocean, just north of Guam and about 3,200 miles west of Hawaii. Its location in the Pacific provides the U.S. with military deployment flexibility and the ability to monitor expanding Chinese influence in the region. Under the Consolidated Natural Resources Act of 2008, the Department of Homeland Security established the CW-1 program to provide for an orderly transition from the CNMI immigration system to the U.S. federal immigration system during a transition period. The Northern Mariana Islands U.S. Workforce Act of 2018 (the act) extended the CW-1 program through December 31, 2029. The act sought, in part, to increase the percentage of U.S. workers in the total CNMI workforce while maintaining the minimum number of workers who are not U.S. workers to meet the changing demands of CNMI's economy. The act calls for various reports on the CNMI's progress toward this goal, including an annual report by the Governor of the CNMI identifying the ratio of U.S. workers to foreign workers in the workforce. The act also includes a provision for GAO to report every 2 years on the ratio of foreign workers to U.S. workers in the CNMI workforce for the previous 5 calendar years. GAO analyzed CNMI government and U.S. agency data and reports; reviewed prior GAO reports; observed economic conditions in the territory; and interviewed officials from the CNMI government, business leaders and education professionals in the CNMI, and officials from the Departments of Homeland Security, the Interior, and Labor.