What GAO Found The Department of Energy (DOE) is pursuing options to grout (i.e., immobilize in a concrete-like mixture) a portion of waste from 22 underground storage tanks at the Hanford Site. Specifically, DOE plans to grout about 24 million gallons of waste that has low levels of radioactivity—called low-activity waste (LAW). The waste will then be disposed of at one of two commercial disposal facilities located outside of Washington State. DOE will generally follow five process steps to grout and dispose of Hanford LAW. General Process Steps for Grouting and Disposing of Low-Activity Radioactive Waste from Hanford In December 2025, DOE’s tank waste contractor at the Hanford Site issued a solicitation to prospective subcontractors to submit proposals to grout the waste. As of April 2026, DOE and its contractor are evaluating proposals and plan to award one or more contracts later in 2026. As part of this evaluation, DOE is assessing options regarding where to grout this waste. DOE’s options include, for example, designing and constructing a new grouting facility onsite at Hanford or transporting liquid waste to existing grouting facilities for treatment and permanent disposal. In determining a path forward, DOE must consider a range of factors, including cost and schedule, associated risks, and disposal options. DOE must also consider whether to transport the waste in liquid or grouted form by truck or rail. DOE officials and industry representatives agreed that a reasonable cost estimate for grouting Hanford LAW, in either a new or existing commercial grout facility, ranges from about $20 to $45 per gallon of waste. Accordingly, grouting 24 million gallons of LAW could cost $480 million to $1.1 billion. DOE officials and industry representatives emphasized these costs captured only the grouting process and did not include other key costs, such as transportation, disposal, and the need to address potential organic materials that were added during waste extraction operations and remain in a portion of the waste. DOE is also exploring potential opportunities to continue grouting Hanford LAW beyond the initial 22 tanks. In doing so, DOE officials stated they must holistically consider the costs, schedules, and risks present across all of DOE’s efforts spanning the Hanford Site. They added that pursuing additional grouting opportunities could help the agency to address existing gaps in Hanford’s treatment capability and accelerate cleanup operations at the site. Why GAO Did This Study The Hanford Site in Washington State is home to one of the largest and most expensive environmental cleanup projects in the world. DOE’s mission at Hanford includes addressing approximately 55 million gallons of hazardous and radioactive waste stored in 177 underground tanks that must be retrieved and treated—or immobilized—before disposal. GAO has previously reported that grouting Hanford LAW could accelerate DOE’s cleanup mission and save billions of dollars. Senate Report 119-39 includes a provision for GAO to assess DOE’s available options for grouting Hanford LAW. This report provides information on DOE’s options for grouting, transporting, and disposing of a subset of Hanford LAW and key factors for DOE’s consideration in pursuing identified options. GAO assessed DOE documentation, relevant reports, and prior GAO work on DOE’s cleanup mission at Hanford and its options to treat and dispose of liquid tank waste. GAO also analyzed data from DOE’s Best Basis Inventory on the volume and radioactivity of selected underground storage tanks at Hanford. GAO interviewed DOE officials and industry representatives to identify and assess DOE’s options for grouting and transporting Hanford LAW as well as relevant factors affecting DOE’s decision-making. For more information, contact Nathan J. Anderson at andersonn@gao.gov.

Why This Matters In September 2017, Hurricanes Irma and Maria struck Puerto Rico, causing billions of dollars in damage to its housing, infrastructure, and economy. Paths of Hurricanes Irma and Maria in Puerto Rico, September 2017 Puerto Rico had already experienced a prolonged economic recession before the hurricanes, contributing to increases in mortgage delinquencies and foreclosures. The widespread devastation from Maria raised questions about how foreclosure rates in Puerto Rico might be affected. In November 2023, the Federal Reserve Bank of New York published a report that examined the effects of Irma and Maria on the stability of banks and their ability to lend, as well as the performance of bank-held and federally owned or guaranteed mortgages. Specifically, it compared the performance of mortgages in Puerto Rico before and after Maria, including rates of delinquency, banks’ mortgage loss, and foreclosure. The report also provided information on homeownership rates. According to the report, Maria’s effect on mortgages in Puerto Rico appears to have been mild or short-lived. The following summarizes the report’s key findings. Delinquency Rates At the time Maria struck, more than 10 percent of active mortgages in Puerto Rico were already delinquent. The rate roughly tripled by November 2017 but returned to pre-Maria levels 1 year later. Loss Rates for Bank-Held Mortgages Bank losses on mortgages generally represent the unpaid principal balance of loans in default minus amounts recovered from the proceeds of the sale of the home and mortgage insurance. Banks’ mortgage loss rates can be considered a proxy for estimating mortgage default rates in Puerto Rico. According to the report, various financial protections helped limit bank losses and contributed to relatively mild and short-lived financial effects. For example, mortgage insurance and government assistance helped protect banks from losses on residential mortgages in Puerto Rico. Banks experienced the greatest losses on conventional mortgages without private mortgage insurance. Loans covered by mortgage insurance (private or through the Federal Housing Administration) or guaranteed by the Department of Veterans Affairs were less likely to result in bank losses. These insured or guaranteed loans made up about 37 percent of all loans. Losses were more common among loans that were already troubled before Maria. Foreclosure Rates In response to Maria, the Department of Housing and Urban Development, Federal Housing Administration, Fannie Mae, Freddie Mac, and the U.S. Department of Agriculture imposed a foreclosure moratorium from the fourth quarter of 2017 through the third quarter of 2018. Despite the spike in delinquencies, foreclosures continued to decline during the moratorium. After it was lifted, foreclosures rose for several months before returning to prior trends after about 1 year. Many mortgages foreclosed in 2019 were likely delinquent before Maria, suggesting that the effect of Maria was modest. Homeownership Rates In 2017, homeownership rates in Puerto Rico were comparable to those on the U.S. mainland. However, mortgage financing was less common in Puerto Rico—about 41 percent of owner-occupied homes had a mortgage, compared with about 67 percent on the mainland. According to the report, residents in Puerto Rico’s large informal housing sector (such as homes built on public land and subdivided family plots) may lack title to their property, making it hard to obtain a mortgage. Rates of Return for Housing Developers The Economic Growth, Regulatory Relief, and Consumer Protection Act also required GAO to report on rates of return for housing developers in Puerto Rico, but this analysis could not be conducted because data were not available. Why GAO Did This Study The Economic Growth, Regulatory Relief, and Consumer Protection Act includes a provision for GAO to report on foreclosures in Puerto Rico before and after Hurricane Maria, including rates of delinquency, default, foreclosure, and homeownership. This report summarizes key relevant findings from a November 2023 Federal Reserve Bank of New York report that examined this issue. For more information, contact Jill Naamane at naamanej@gao.gov.

Based on the limited procedures GAO performed in reviewing the performance of the independent public accountant’s (IPA) audit of the Congressional Award Foundation’s financial statements for fiscal year 2024, GAO did not identify any significant issues it believes require attention. Had GAO performed additional procedures, other matters related to the performance of the audit might have come to its attention that it would have reported. The IPA provided an unmodified audit opinion on the Foundation’s financial statements for fiscal years 2024 and 2023. Specifically, the IPA found that the Foundation’s financial statements were presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles. However, for fiscal year 2024, the IPA identified a deficiency related to revenue recognition that it considered to be a material weakness in the Foundation’s internal control over financial reporting. Further, for fiscal year 2024, the IPA did not identify instances of noncompliance or other matters that are required to be reported under U.S. generally accepted government auditing standards. The Foundation concurred with the IPA’s conclusions. GAO’s review of the Foundation’s fiscal year 2024 financial statement audit, as differentiated from an audit of the financial statements, was not intended to enable GAO to express—and it does not express—an opinion on the Foundation’s financial statements or a conclusion on the effectiveness of its internal control over financial reporting. Furthermore, GAO does not express an opinion on the Foundation’s compliance with provisions of applicable laws, regulations, contracts, and grant agreements. The IPA is responsible for its reports on the Foundation and the conclusions expressed therein. GAO provided a draft of this report to the Foundation and the IPA for review and comment. The Foundation’s National Director and the Foundation’s Audit Committee Chair responded in an email that they have taken actions to improve operations and internal controls over financial reporting related to revenue recognition. The IPA’s Audit Principal responded in an email that the IPA had no comments regarding GAO’s report and its findings. Why GAO Did This Study This report presents the results of GAO’s review of the Foundation’s financial statement audit for fiscal year 2024. The Congressional Award Act established the Congressional Award Board to carry out a program to promote excellence among the nation’s youth in the areas of public service, personal development, physical fitness, and expedition or exploration. The Board created the Foundation as a nonprofit corporation to help it carry out this program. The Congressional Award Act, as amended by the Government Reports Elimination Act of 2014, requires the Foundation to obtain an annual financial statement audit from an IPA. The act also includes a provision for GAO to review the audit and report the results to the Congress annually. GAO’s objective was to review the Foundation’s fiscal year 2024 financial statement audit to identify any significant issues it believes require attention. To satisfy this objective, GAO (1) read and considered various documents with respect to the IPA’s independence, objectivity, and qualifications; (2) analyzed key IPA audit documentation; (3) read the Foundation’s financial statements for fiscal years 2024 and 2023, the IPA’s audit report on the these statements, and the IPA’s report on internal control over financial reporting and on compliance and other matters based on its audit; and (4) discussed matters pertinent to its objective with IPA representatives and Foundation management officials. For more information, contact Cheryl E. Clark at clarkce@gao.gov.

What GAO Found In this 10th annual review, GAO found that most federal agencies that could be subject to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended (IAA), have published civil monetary penalty inflation adjustments for 2025 in the Federal Register and reported related information in their 2025 or 2024 agency financial reports (AFR) or equivalent. All 49 agencies GAO reviewed for 2025 correctly calculated the 2025 civil monetary penalty annual inflation adjustment amounts. However, one agency did not publish its inflation adjustment in the Federal Register as of December 31, 2025, and did not report the required information in its 2025 AFR for its civil monetary penalties. Why GAO Did This Study The IAA includes a provision, added in 2015, for GAO to annually submit to Congress a report assessing agencies' compliance with the annual inflation adjustments the act requires. For more information, please contact Paula M. Rascona at rasconap@gao.gov.

What GAO Found The Department of Defense’s (DOD) Defense Suicide Prevention Office (DSPO) is responsible for suicide prevention efforts across the department, but it lacks information to monitor DOD-wide completion of required suicide prevention training. Specifically, a DSPO official told GAO the office does not receive data from the military services on whether they are completing the training. Requiring the services to report their training completion rates would give DSPO data needed to make informed decisions as it oversees training and develops DOD-wide suicide prevention policies. In addition, the military services’ headquarters suicide prevention offices generally do not effectively monitor training completion for their service members. The Army, Navy, and Marine Corps offices do not regularly track required annual training completion and only the National Guard Bureau takes action to help ensure training completion. Addressing these issues would help the service headquarters offices ensure training and service-specific learning objectives are reaching the military community as intended. Examples of Learning Objectives from Military Services’ Suicide Prevention Trainings, as of 2025 The military services have also not fully assessed the effectiveness of their suicide prevention training. Most of the services have taken steps to do so. For example, the Army, Marine Corps, and Air Force have surveys for some annual trainings. But these and other efforts have not fully assessed training effectiveness, such as by identifying the extent to which expected outcomes have been achieved. Developing and implementing evaluation plans would help the services ensure a systematic approach to assessment and determine if trainings are achieving intended outcomes, such as recognizing risk factors for suicide. DOD has made progress implementing certain training-related recommendations from the Suicide Prevention and Response Independent Review Committee, but uncertainties exist for future efforts. DOD has begun addressing the committee’s recommendations, including 18 on nonclinical training. However, GAO found that DOD’s ability to continue these efforts is uncertain given recent changes in staffing levels and pending decisions on combining suicide prevention training with other trainings. By using an iterative process to regularly update its project plans to account for and mitigate these uncertainties, DOD would be better positioned to effectively assess risks and manage resources. Why GAO Did This Study Suicide rates for active-duty service members have gradually increased since 2011, according to DOD. DOD’s latest data show that in 2024, 471 service members died by suicide. Suicide prevention training can increase awareness of risk factors and provide resources for intervention, among other things. However, recent GAO and DOD reports have identified gaps in DOD’s implementation of suicide prevention activities, including training. House Report 118-125 includes a provision for GAO to assess DOD’s suicide prevention training. This report examines (1) DSPO and the military services’ monitoring of suicide prevention training completion; (2) the military services’ assessment of training effectiveness; and (3) DOD’s steps to address an independent review committee’s training-related recommendations. GAO reviewed DOD policies, procedures, and other documentation on suicide prevention training; analyzed fiscal years 2020–2024 data on training completion; assessed DOD-wide evaluation procedures against federal standards; and interviewed officials.

This report was submitted to the Acting Comptroller General in accordance with Section 5 of the Government Accountability Office (GAO) Act of 2008. The report summarizes the activities of GAO's Office of Inspector General (OIG) for the 6-month reporting period ending March 31, 2026. During this reporting period, the OIG closed 18 GAO related investigations, opened nine new GAO related investigations, and processed 51 substantive hotline complaints. The OIG also continued work on five engagements and initiated four engagements. For the first time, the OIG will operate under a new Comptroller General, and the type of support that the OIG received from the previous Comptroller General is not assured. With the support of current GAO leadership, the OIG continues to seek a budget floor in fiscal year 2027, so the OIG can keep Congress and future Comptroller Generals fully and currently informed about issues and deficiencies relating to the administration of GAO programs and operations. For more information, contact the OIG at oig@gao.gov.

What GAO Found The Department of Energy’s (DOE) Office of Environmental Management (EM) has become further understaffed since GAO reported on EM’s workforce challenges in July 2024. From fiscal year (FY) 2023 through FY 2025, total staff decreased by 33 percent, from 1,272 to 856. This created an overall vacancy rate of 45 percent as of the end of FY 2025, based on a staffing need of 1,515 full-time employees that EM identified in FY 2023. This understaffing includes shortages in mission-critical occupations that are integral to carrying out EM’s mission, which includes addressing contaminated buildings, soil, and groundwater, and treating radioactive waste. Federal Staff in Selected Mission-Critical Occupations at the Department of Energy’s Office of Environmental Management (EM), End of Fiscal Year (FY) 2025 Occupational group Onboard staff Separations in 2025 Vacancies Vacancy rate (based on FY23 need) Retirement eligibility rate by 2030 General Engineering 174 69 179 51% 31% (54) Nuclear Engineering 19 14 23 55% 42% (8) General Physical Science 117 55 51 30% 35% (41) Source: GAO analysis of Department of Energy and EM information. | GAO-26-108674 EM experienced high attrition in FY 2025. Most staff left through the Deferred Resignation Program (DRP), and attrition will likely remain high, according to EM data. Of the 409 staff who left EM in FY 2025, 76 percent (312) separated through the DRP. Almost half (180) were in mission-critical occupations. EM’s remaining workforce is aging. EM’s data indicate that, as of the end of FY 2025, 35 percent of EM’s remaining staff, and 30 percent in mission-critical occupations, will be eligible for retirement by 2030. According to officials, EM plans to hire about 174 new staff in FY 2026, based on its FY 2026 budget, to help offset staffing gaps. As of March 2026, officials said EM is reassessing staffing needs and did not plan to change work scopes to match any potential changes in workforce numbers while considering reorganization. A reduction in identified staffing needs would eliminate some vacant positions, according to officials. In July 2024, GAO reported that EM’s levels of understaffing and workforce management challenges had caused schedule delays, cost overruns, and workplace accidents. These events all affected EM’s mission to clean up nuclear waste, according to DOE assessments. GAO concluded that without efforts to address workforce challenges, severe staffing shortages threatened EM’s ability to meet its mission. Why GAO Did This Study EM relies on federal staff to oversee its nuclear waste cleanup, which is the result of decades of nuclear weapons production and research at locations across the country. Since January 2025, several executive orders, memoranda, and related programs have affected EM’s workforce. GAO was asked to provide updated information on the EM workforce data that it had reported in July 2024 in GAO-24-106479. This report describes EM’s workforce capacity including the composition and attrition rates as of the end of FY 2025. GAO reviewed agency documents, analyzed EM’s human capital data for fiscal years 2023 through 2025, and interviewed EM officials.

What GAO Found The Export-Import Bank of the United States (EXIM) has generally monitored and evaluated the effectiveness of its fraud prevention activities in accordance with GAO’s leading practices. For example, EXIM surveys internal stakeholders, such as program managers and loan officers, to evaluate its fraud risk assessments. However, EXIM does not fully engage with external stakeholders to inform its fraud risk management activities, as called for in leading practices. EXIM works with external stakeholders, such as lenders and export credit insurance partners, to process transactions that carry EXIM’s guarantees. These stakeholders have antifraud responsibilities, but EXIM does not involve them in its fraud risk assessment process. EXIM officials explained they do not think it is feasible to include these external stakeholders in the risk assessment process, or in the evaluation of those assessments, as there are many external stakeholders of varying sizes and types. By not engaging with external stakeholders, EXIM is not well positioned to fully understand the landscape of fraud risks and vulnerabilities facing the agency, such as risks posed by tariff evasion and the malicious use of artificial intelligence, therefore putting taxpayers at risk. Further, EXIM collects information about potential fraud from internal loan officers to inform real-time monitoring efforts across its programs, but EXIM does not collect such information from external stakeholders (see fig. on the types and impacts of potential fraud at EXIM). According to leading practices, program managers should collect information from external stakeholders for real-time monitoring of fraud trends. By not collecting this information, EXIM is missing opportunities to proactively address fraud risks. Types and Impacts of Potential Fraud at Export-Import Bank of the United States GAO also reviewed EXIM transaction data from January 1, 2022, to June 30, 2025, to determine if entities that were banned from receiving federal assistance were present in the transaction data. GAO’s analysis did not identify any excluded parties within the EXIM transaction data during that period. Why GAO Did This Study EXIM’s mission is to support American jobs by facilitating the export of U.S. goods and services. Taxpayers could be responsible for losses arising from EXIM’s operations, including losses due to fraud. Congress included a provision in statute for GAO to periodically review EXIM’s antifraud controls. This report assesses the extent to which (1) EXIM has monitored and evaluated its fraud risk management activities and engaged its stakeholders in the monitoring process; and (2) excluded parties can be identified in EXIM’s transaction data from January 1, 2022, to June 30, 2025. GAO reviewed EXIM’s activities against relevant leading practices for fraud risk management identified by GAO, reviewed EXIM documentation, and interviewed EXIM managers and select external stakeholders responsible for fraud risk management. GAO selected external stakeholders to obtain a range of perspectives and based the selection on a variety of considerations including geographic location, asset size, the length of time associated with EXIM, and the number of active transactions. GAO also reviewed EXIM transaction data from January 1, 2022, to June 30, 2025.

What GAO Found A 2018 law generally prohibits executive agencies from procuring telecommunications and video surveillance equipment produced by certain companies, or their subsidiaries and affiliates, linked to the People’s Republic of China (referred to as “covered equipment”). Agencies are not prohibited from using covered equipment procured prior to this prohibition. Officials from four of six selected agencies—the Departments of Homeland Security, Justice, State, and Treasury—told GAO they did not identify any covered equipment connected to their IT networks. The Departments of Defense (DOD) and Energy reported finding little covered equipment in recent searches and having efforts underway to address potential risks. For example, DOD officials identified three instances of covered equipment connected to its network and confirmed the devices have been blocked from external access while DOD acts to remove them. All six selected agencies have used a combination of methods to search for covered equipment since 2019. Each method has benefits and limitations. For example, IT network scans may not scan agencies’ entire IT networks, including classified networks. Methods Selected Agencies Have Used to Search for Covered Equipment, 2019– December 2025 Agency IT hardware asset inventory searcha IT network scanb Procurement record search Physical search Department of Defense X X – X Department of Energy X X – – Department of Homeland Security X X X – Department of Justice X X X – Department of State X X – – Department of the Treasury X X X – Source: GAO analysis of agency responses. | GAO-26-107668 Note: “Covered equipment” refers to “covered telecommunications equipment” as defined by the John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 889(f)(3), 132 Stat. 1636, 1918 (2018). aIT hardware asset inventories are records of IT hardware assets owned by an agency. bIT network scans use software to identify devices active on an IT network. Officials at some of the selected agencies cited limited visibility into product supply chains as a challenge in identifying covered equipment. For example, one agency official noted that manufacturers were reluctant to share proprietary information about their supply chains, thereby limiting the agency’s ability to determine whether devices in its inventory contained components produced by covered entities. Some officials said the lack of comprehensive, authoritative information on companies’ subsidiaries and affiliates also posed a challenge. However, officials noted that such information would be accurate only at the time it was developed, because companies may change their names or acquire or divest subsidiaries and affiliates. Why GAO Did This Study The federal government depends on a complex network of telecommunications and video surveillance equipment to support operations and communicate with the public. Foreign adversaries may seek to exploit vulnerabilities in this equipment. According to the Office of the Director of National Intelligence, China poses the most active and persistent cyber threat to the federal government. GAO was asked to review issues related to federal agencies’ use of covered equipment. This report examines (1) the amount of covered equipment selected agencies have identified, and actions the agencies have taken to address risks associated with using the equipment; and (2) the methods selected agencies reported using to search for covered equipment and challenges they have experienced. To conduct this review, GAO selected the six agencies from the Chief Financial Officers Act of 1990 that have organizational entities in the Intelligence Community. GAO obtained and reviewed information (e.g., screenshots of network scans or inventory searches) on selected agencies’ identification of covered equipment, if any, and actions to address associated risks. GAO also reviewed agencies’ policies and procedures for developing and maintaining inventories of hardware assets (i.e., equipment) and compared them with relevant National Institute of Standards and Technology cybersecurity requirements. Further, GAO reviewed documentation and interviewed agency officials about their methods for searching for covered equipment and the challenges they faced in identifying the equipment. For more information, contact Andrew Von Ah at vonaha@gao.gov or Jennifer Franks at franksj@gao.gov.

Why This Matters Companies and organizations are collecting more personal data from Americans than before to improve technologies such as AI. But using and sharing large amounts of data carries security and privacy risks, like breaches of personal information. According to the FBI, Americans reported more than $1.4 billion lost due to personal data breaches in 2024. Privacy enhancing technologies, or PETs, can help reduce risks associated with collecting, using, and sharing data. Key Takeaways Privacy enhancing technologies are expanding to new datasets and evolving to counteract malicious actors. They also could enable more secure collaboration and research on sensitive information, such as medical records or proprietary company data. Lack of federal guidance, high resource costs, and workforce constraints affect implementation of these technologies and may hinder widespread use. The Technology What is it? Privacy enhancing technologies modify, hide, or process data in ways that make it difficult to access sensitive information. Newer technologies that focus on minimizing shared data and limiting uses are improving the ways data can be used while protecting privacy. They can facilitate global collaboration on research and fraud detection while also reducing privacy risks associated with using and sharing data. For example, these technologies could enable responsible deployment of AI and other applications that are using increasing amounts of personal data, thereby reducing risks to data privacy. How does it work? Privacy enhancing technologies can be categorized by the different ways they protect data (see figure). Data obfuscation hides or changes data to make it more difficult to accurately identify personal information. For example, data elements may be removed from datasets to depersonalize them or data can be randomly added as “noise.” Next-generation encryption processing tools keep data encrypted while in use. For example, AI could analyze encrypted documents, such as medical records, without decrypting them first through a process called homomorphic encryption. Federated analytics and secure multi-party computation allow multiple entities access to parts of datasets, so that if one entity is compromised, the rest of the dataset remains secure. For example, each smartphone can conduct analysis for predictive text applications before manufacturers collect that information, keeping users’ raw data private and decentralized. How Some Privacy Enhancing Technologies Work How mature is it? These technologies are largely mature, and their use is growing for applications such as AI. Some types are more widely used than others. For example, federated analytics are used by many companies to protect consumer privacy while using their data to train predictive text models. Other types of these technologies can require significant computing power and time, making them difficult to adopt and deploy. For example, analyzing data using homomorphic encryption can take up to a million times as long as analyzing unencrypted data. Researchers are exploring how privacy enhancing technologies can be used to maximize the utility of existing datasets. For example, secure multi-party computation could enable secure sharing of protected genetic information, giving researchers more opportunities to collaborate. Opportunities Increase privacy. Limiting access to and obfuscating data results in fewer opportunities for data to leak, which limits opportunities for malicious actors to identify targets and helps mitigate risks in data-driven applications. Make new data sources available. When data remain private, companies can work collaboratively on proprietary or sensitive data that they might not normally share with competitors and outside groups. For example, banks can safely share information with foreign companies to identify fraud across borders. Researchers can more readily collaborate on sensitive data, like medical records, when those data are protected. Challenges Reliability. Some of these technologies, such as data obfuscation, may reveal data in certain cases. Malicious actors are using machine learning and other strategies to work around privacy enhancing technologies. Resource and skill demands. Some privacy enhancing technologies, such as homomorphic encryption, require more time and other resources than traditional data protection systems. Deploying these technologies effectively requires skill sets that companies and organizations may not possess. Lack of federal guidance. While the federal government requires certain data to be protected, federal guidance for how or when to use these technologies is limited. This leaves entities uncertain about how to best use them, which could slow adoption across different fields and make implementation difficult or ineffective. Policy Context And Questions What additional steps could the U.S. government and industry take to protect personal data? What is the government’s role, if any, in encouraging wider adoption and implementation of privacy enhancing technologies? How can institutions balance calls for privacy against calls for greater data transparency and accountability for using data collaboratively? Selected GAO Work Artificial Intelligence: OMB Action Needed to Address Privacy-Related Gaps in Federal Guidance, GAO-26-107681. Selected Reference OECD (2023), “Emerging privacy-enhancing technologies: Current regulatory and policy approaches,” OECD Digital Economy Papers, No. 351, OECD Publishing, Paris, https://doi.org/10.1787/bf121be4-en. For more information, contact Sarah Harvey at HarveyS@gao.gov.

What GAO Found Scams are a method of committing fraud that involves the use of deception or manipulation intended to achieve financial gain. Scams generally succeed by manipulating and deceiving victims and often play on their emotions to exploit vulnerabilities. Disaster assistance scams are a type of scam that seeks to take advantage of either disaster survivors or people trying to aid disaster survivors. Examples of Disaster Assistance Scams The prevalence of disaster assistance scams is unknown, due in part to underreporting, but recent surveys—including one by the U.S. Census Bureau—suggest that many individuals encounter scams during disaster recovery. Federal agencies collect complaint data that include allegations of these types of scams. While agencies review complaints to identify where further action, such as investigation, might be appropriate, data limitations prevent accurate estimates on how often these scams occur and how much money is lost. Federal agencies use consumer education to raise awareness and help prevent individuals from becoming victims of disaster assistance scams. Factors hindering enforcement actions against scammers include underreporting of scams. Many disaster assistance scams go unreported to the federal agencies that receive and process complaints. These agencies include disaster response agencies—such as the Federal Emergency Management Agency, Small Business Administration, and Department of Housing and Urban Development—and other agencies, such as the National Center for Disaster Fraud. Disaster assistance scams can go unreported for various reasons, including shame, embarrassment, the belief that reporting will not help, and a lack of awareness about how to report the crime. For those complaints that are reported, there are challenges in prosecuting the disaster assistance scams, such as time and resource constraints, case prioritization, and the sophistication of some international scam operations. Why GAO Did This Study Scams related to disaster assistance pose financial and nonfinancial risks to disaster survivors, communities, and federal programs. Scams have been around for many years, have evolved with technology, and are a growing risk to consumers in the United States and around the world. Disaster assistance scams typically target vulnerable individuals and communities affected by a disaster by preying on desperation and fear, as well as exploiting vulnerabilities which may be heightened following a disaster. Disaster assistance scams can further compound losses incurred from disasters themselves. Each year, disasters such as floods, hurricanes, and wildfires affect hundreds of American communities and millions of people. The resulting federal disaster response—billions of dollars distributed quickly—also attracts scammers. It is likely that as natural disasters increase in frequency, so too will scams related to disaster assistance. GAO performed this work under the American Relief Act, 2025, which included a provision for GAO for audits and investigations related to Hurricanes Helene and Milton, and other disasters declared pursuant to the Robert T. Stafford Disaster Relief and Emergency Assistance Act in calendar years 2023 and 2024. This report provides information about disaster assistance scams and efforts to mitigate them. For more information, contact Rebecca Shea at Shear@gao.gov.

What GAO Found The Department of Homeland Security (DHS) is modernizing its financial management systems for the U.S. Coast Guard, Federal Emergency Management Agency (FEMA), and U.S. Immigration and Customs Enforcement (ICE) through three financial systems modernization programs. Reliable cost estimates and schedule assessments are essential to managing major system modernization efforts. GAO’s review of cost estimates for two of the system modernizations found that one substantially met all four characteristics of a reliable cost estimate; the other substantially met three of four characteristics. Regarding schedule, GAO determined that two program schedules were unreliable. Without a reliable schedule estimate that follows best practices, DHS increases the risk that management will lack key information for making decisions about its programs, including the impact on future program costs. DHS’s guidance and financial systems modernization plans varied in consistency with leading practices for data migration, organizational change management, and lessons learned. Summary of GAO Assessment of DHS Guidance and Financial Systems Modernization Plans Against Leading Practices Leading practice area GAO assessment of DHS and program office guidance GAO assessment of component planning documents Data migration Partially consistent Mostly consistent Organizational change management Consistent Mostly consistent Lessons learned process Mostly consistent –a Legend: Consistent = DHS provided evidence that sufficiently satisfied all relevant criterion; Mostly consistent = DHS provided evidence that sufficiently satisfied more than half of the relevant criterion; Partially consistent = DHS provided sufficient evidence that satisfied less than half of the relevant criterion; Not consistent = DHS did not provide sufficient evidence that satisfied the relevant criterion. Source: GAO analysis of Department of Homeland Security (DHS) documentation. | GAO-26-107863 aFinancial systems modernization programs use guidance to help execute their lessons learned process and apply the lessons in future relevant documentation. Therefore, lessons learned planning documents are not expected. DHS guidance used for financial systems modernization data migration is partially consistent with leading practices, while component planning documents were mostly consistent. Further, for organizational change management some component planning documents lacked details. For example, both Coast Guard and ICE plans incorporated steps to perform a readiness assessment, but neither included analysis of this assessment or metrics to measure change readiness. By not fully incorporating leading practices in both guidance and component planning documentation, DHS increases the risk of data errors, time needed to resolve those errors, potential delays in achieving full operational capability, and limiting users’ ability to effectively operate the system. Why GAO Did This Study In 2003, GAO designated DHS as high risk. In 2023, GAO narrowed this high-risk area to focus on DHS’s IT and financial management. To address its financial management issues, DHS is executing a multiyear plan to implement new financial management systems through acquisition programs. In 2025, GAO reported that much work remains for DHS to complete these modernization efforts. GAO was asked to review DHS’s modernization of financial management systems. This report addresses (1) the extent to which DHS ensured a reliable cost estimate and schedule assessment for two key major modernization efforts; (2) whether DHS’s plans and guidance are consistent with leading practices for data migration, organizational change management, and lessons learned; and (3) whether its plans and guidance describe how DHS used the Coast Guard’s implementation experience to inform plans for FEMA’s and ICE’s efforts. Applying its previously issued guidance, GAO evaluated the cost estimates and schedule assessments for two major DHS system modernizations. GAO also identified applicable criteria and leading practices for data migration, organizational change management, and lessons learned. Using these criteria, GAO evaluated numerous guidance and planning documents. GAO also interviewed numerous DHS officials and Coast Guard, FEMA, and ICE officials.

What GAO Found From October 2018 through May 2025, U.S. Customs and Border Protection (CBP) granted about 2.4 million paroles—temporary permission for a noncitizen to stay in the U.S.—out of its nearly 10.4 million encounters at the southwest border (see figure). Over half were to Mexicans, Cubans, and Venezuelans. CBP Paroles and Encounters at the Southwest Border, October 2018–May 2025 CBP implemented policies in 2021 expanding the use of humanitarian parole to help manage increasing encounters at the southwest border. In July 2021, CBP’s U.S. Border Patrol authorized agents to parole apprehended noncitizens on a case-by-case basis under certain conditions, such as limited immigration detention space. Further, in May 2023, CBP expanded access for noncitizens to use the CBP One mobile application to schedule appointments for CBP Office of Field Operations (OFO) officers to inspect them. Almost all (97 percent) appointments in fiscal years 2023 and 2024 resulted in paroles. Noncitizens paroled under the policies were generally placed in removal proceedings. Since January 2025, Border Patrol and OFO implemented guidance and policies restricting the use of parole and the number of paroles decreased substantially. Once noncitizens are paroled at the southwest border, U.S. Immigration and Customs Enforcement (ICE) is responsible for monitoring them to ensure they adhere to the conditions of their release. For example, ICE may require assurances that they attend their removal proceedings. In January 2025, the Department of Homeland Security (DHS) and ICE issued guidance that emphasized the importance of ICE reviewing these cases to determine whether further enforcement action is appropriate. However, ICE does not have the information it needs to readily identify noncitizens CBP paroled at the southwest border and does not monitor them as required. By obtaining this information from CBP, ICE would be better positioned to monitor these noncitizens, review their cases, and take enforcement action, in accordance with DHS and ICE guidance. Why GAO Did This Study Within DHS, CBP is responsible for securing U.S. borders while facilitating legitimate travel and trade. CBP encounters noncitizens at the southwest border at and between ports of entry. CBP has discretion to grant parole—temporary permission to stay in the U.S.—to noncitizens it encounters for urgent humanitarian reasons or significant public benefit. CBP’s OFO and Border Patrol are responsible for securing the border at and between ports of entry. ICE, also within DHS, is responsible for monitoring paroled noncitizens to ensure they adhere to the conditions of their release. GAO was asked to review CBP’s use of humanitarian parole at the southwest border and ICE’s enforcement efforts for paroled noncitizens. This report examines (1) what CBP data show about the number and characteristics of humanitarian paroles at the southwest border since fiscal year 2019; (2) how CBP has used humanitarian parole in processing noncitizens encountered at the southwest border; and (3) ICE’s monitoring and enforcement efforts related to those noncitizens. GAO analyzed CBP and ICE documents, and CBP data on paroles granted at the southwest border from October 2018 through May 2025. GAO also interviewed officials from (1) CBP and ICE headquarters, (2) selected CBP field locations that collectively granted more than half of paroles over the time period, and (3) selected ICE field offices responsible for monitoring noncitizens.

What GAO Found The Small Business Administration’s (SBA) Disaster Loan Program provides low-interest loans to businesses, nonprofits, homeowners, and renters to help repair, rebuild, and recover from physical and economic losses after a declared disaster. In 2023 and 2024, SBA and the Federal Emergency Management Agency (FEMA) separately adopted rules affecting the program. SBA’s rule expanded options for loan recipients and adjusted program limits to reflect inflation. For example, it increased the maximum loan amount for repairing or replacing a primary residence from $200,000 to $500,000 and extended the loan deferment period from 5 to 12 months. FEMA’s rule removed the requirement that certain disaster survivors apply for an SBA loan—and either be denied or receive only partial funding—before qualifying for some types of FEMA assistance. According to SBA’s guidance, its field operations centers are responsible for outreach materials for declared disasters that affect localized areas. SBA relies on press releases and fact sheets to inform disaster survivors and the media about the Disaster Loan Program. However, field operations centers did not consistently update SBA’s disaster-specific press releases or fact sheets to reflect key components of SBA’s 2023 and FEMA’s 2024 rules. GAO’s analysis of outreach materials for 76 presidentially declared disasters in 2023 and 2024 found that while materials from the two field operations centers were generally similar, they were not consistent in the information they included. For example, both centers included updated loan limits in all post-disaster fact sheets. However, the East Field Operations Center incorporated updated SBA language explaining that survivors could apply for certain FEMA assistance without first applying to SBA in 96 percent of its press releases, compared with 5 percent for the West Field Operations Center. By implementing controls to ensure field operations centers consistently include standardized information in their disaster outreach materials, SBA would have greater assurance that survivors across regions receive key information needed to access resources and manage their recovery. GAO also found that SBA’s 2023 rule addresses some challenges faced by rural and underserved areas in using the Disaster Loan Program. For example, the higher home lending limit could help homeowners and renters in rural areas manage construction costs when demand is high and supplies are limited. Why GAO Did This Study Recent natural disasters highlight the need for federal agencies to deliver assistance efficiently and effectively. In fiscal year 2024, the most recent year for which data were available, SBA’s Disaster Loan Program supported about $1.7 billion in disaster lending at an estimated cost of $341.4 million. That year, SBA approved more than 27,000 direct disaster loans to help borrowers recover from events such as floods, hurricanes, and tornadoes. In 2023 and 2024, SBA and FEMA, respectively, adopted rules that made changes affecting the program. GAO was asked to examine the effects of these rules on the Disaster Loan Program, including changes in SBA’s implementation of the program. This report addresses SBA’s implementation of these rules, including how the agency communicated changes to survivors. GAO reviewed SBA and FEMA rules and analyzed SBA press releases, fact sheets, staffing reports, and recovery center data for disasters declared in 2023 and 2024 to assess how SBA communicated rule changes and allocated resources. GAO also interviewed officials from SBA, FEMA, and local government in five states, selected based on geographic location, loans approved, and funds disbursed, to understand survivor experiences and how the new rules affected rural and underserved communities.

What GAO Found The Air Force has three maintenance depots that maintain the readiness of aircraft required for military operations. Depot maintenance delays have increased considerably since fiscal year 2019, whether measured by the original target completion date set before aircraft arrive at the depot or the revised target completion date that accounts for unplanned work found during maintenance. Percentage of Air Force Aircraft Delayed During Depot Maintenance, Fiscal Years 2019–2024 The Air Force tracks depot maintenance timeliness for both original and revised target completion dates but primarily uses the revised target for reporting on its performance.GAO found several limitations associated with the Air Force’s reporting on depot timeliness. For example: Reporting on the revised target masks the full extent of delays because it does not reflect unplanned work. Depots frequently revised targets after they completed maintenance to match the actual number of days it took to complete maintenance. Depots and aircraft program offices inconsistently apply the target completion date revision process. As a result, the Air Force is not reporting the full extent of depot maintenance challenges and may not be able to make accurate comparisons across the fleet. While all three depots have filled 90 percent or more positions since 2020, they have experienced shortages in specific occupations. According to depot officials, pay competition with the private sector is the primary challenge in recruiting and retaining personnel in occupations such as engineers and mechanics. The depots have taken some steps to mitigate this challenge by selectively using incentives and emphasizing the nonfinancial benefits of a federal career. However, the Air Force has not fully addressed pay competition with the private sector because DOD has not conducted a comprehensive assessment of pay gaps for occupations affected by private sector competition. Such an assessment would enable the depots to make informed decisions to address competition with the private sector for occupations critical to aircraft readiness. Why GAO Did This Study More than 2 decades of conflict has degraded the Air Force’s readiness, with wide-ranging effects on aircraft from continuous deployments. The Air Force is working to rebuild its readiness, in part by modernizing its maintenance depots to sustain an increasingly aging fleet. The Air Force’s three maintenance depots, also known as Air Logistics Complexes (ALC) are: Ogden ALC, Oklahoma City ALC, and Warner Robins ALC. Senate Report 118-188 accompanying a bill for the National Defense Authorization Act for Fiscal Year 2025 includes a provision for GAO to assess maintenance and staffing at the three ALCs. This report assesses, among other things, the extent to which the Air Force has completed aircraft depot maintenance on time and addressed any staffing challenges at the depots. GAO analyzed Air Force maintenance and staffing data; interviewed Department of Defense and Air Force officials; and conducted site visits to all three ALCs.

What GAO Found The Financial Data Transparency Act (FDTA) was enacted in December 2022 with the intent of eventually reducing the private sector’s regulatory compliance burden while enhancing transparency and accountability. The FDTA requires agencies that regulate the financial sector to create a set of joint data standards to ultimately help harmonize future reporting by promoting data sharing among financial regulators. Implementation of the FDTA requirements is in the early stages of the rulemaking process, with regulatory agencies working to finalize an August 2024 proposed rule. Subsequently, most regulatory agencies are required to issue their own regulations to implement the joint data standards. The agency officials and stakeholders GAO spoke with identified potential benefits, costs, and challenges of implementing the FDTA. Potential benefits of implementation  Standardized data reporting, as well as the interoperability of data collected by different agencies, could improve the quality and efficiency of data analysis by regulators.  More efficient data analysis could in turn improve oversight and more timely identification of compliance concerns.  Common standards for reporting within the framework set forth by the FDTA could reduce reporting entities’ burden by making filing financial reports across multiple regulatory agencies more efficient. Potential challenges and costs of implementation Regulatory agencies may need to modernize legacy data systems, coordinate across agencies, and manage data governance costs. Reporting entities could incur costs for adapting processes and systems to comply with the FDTA’s updated reporting requirements, as well as conducting system testing. While the FDTA sets forth provisions for the sharing of certain key data elements in the context of financial regulation, there is interest in a broader, government-wide data standard, similar to Standard Business Reporting (SBR) that would reduce the burden on reporting entities while streamlining the reporting process across all government agencies. SBR refers to the government-wide adoption of a common taxonomy, or shared dictionary of data fields, in a way that enables data processing to be automated and data to be gathered from reporting entities and transferred to regulators. While the United States does not currently have SBR, other federal efforts have addressed the streamlining of government data reporting to better ensure its usefulness and improve its quality. Practitioners in the fields of data management, data governance, and regulations told GAO the FDTA could put the United States on a path towards a government-wide reporting system, similar to SBR. GAO’s past work on prior government-wide efforts to establish data standards provide effective practices on interagency collaboration and data governance that can guide regulators at such time as they should seek to build toward a government-wide regulatory standardization mechanism like SBR. Why GAO Did This Study Federal agencies regulate, supervise, and oversee banks, savings associations, credit unions, and financial markets that manage trillions of dollars in deposits and loans. Regulations often require entities to report information to the government to assess compliance and help ensure the soundness of financial markets. GAO has previously reported, however, that these reporting requirements also create burdens on reporting entities, especially if they are reporting the same or similar information to multiple agencies. Congress included a provision in statute for GAO to review the feasibility, costs, and potential benefits of building upon the taxonomy established by the FDTA to arrive at a government-wide regulatory compliance standardization mechanism similar to SBR. This report (1) describes stakeholders’ views on potential benefits, costs, and challenges of the FDTA; and (2) describes effective practices to facilitate future government-wide data standardization efforts and stakeholders’ views on such potential efforts. GAO reviewed documentation and corresponded with officials from nine regulatory agencies involved in implementing the FDTA. GAO met with four practitioner groups knowledgeable about data standards and the FDTA, including private entities that develop software solutions or other products to support data standardization, to understand the technology and their experiences with compliance reporting. GAO also interviewed four groups representing reporting entities, as well as two academic researchers knowledgeable about financial regulatory reform efforts. GAO also reviewed its prior work to identify effective practices in interagency collaboration and data governance structures. For more information, contact Yvonne Jones at jonesy@gao.gov.