Appendix: GAO-IG Act Reporting for Budget Fiscal Year 2026
The following information is provided in compliance with The Good Accounting Obligation in Government Act (GAO-IG Act), Pub. L. No. 115-414, 132 Stat. 5430 (2019). It describes the agency’s implementation status of each GA recommendation that is designated as "open" or "closed, unimplemented.
The Good Accounting Obligation in Government Act (GAO-IG Act, Pub. L. No. 115-414, 132 Stat. 5430 (2019)) requires each agency to include, in its annual budget justification, a report that identifies each public recommendation issued by the Government Accountability Office (GAO) and the agency’s Inspectors General (IGs) which has remained "open" or "closed, unimplemented" for one year or more from the annual budget justification submission date. In addition, the Act requires a reconciliation between the agency records and the IGs’ Semiannual Report to Congress (SAR). In compliance with the GAO-IG Act, OPM provides reports listing each public recommendation from GAO and OPM’s Office of the Inspector General (OIG).
| Recommendation Detail | Status |
| To improve federal training investment decision-making processes, the Director of OPM should include in existing or new OPM guidance or technical assistance additional information in the following areas: (1) Steps agencies should take and factors they should consider when prioritizing federal training investments agency-wide, including developing a process to rank training using criteria, such as expected demand for the investment from internal sources, availability of resources to support the effort, potential for increased revenue, and risk of unfavorable consequences if investments are not made. (2) Steps agencies should take and factors they should consider for comparing the merits of different delivery mechanisms and determining the mix of mechanisms to use, in order to ensure efficient and cost-effective delivery of federal training. Such guidance could include requesting that agencies consistently utilize Standard Form-182 to document and report training costs associated with the different delivery mechanisms employed. | Corrective actions have been completed and are being reported to GAO to address the recommendation. |
| In line with statutory and regulatory provisions on maintenance and reporting of training information, work with the CHCO Council to improve the reliability of agency training investment information by: ensuring that agencies are familiar with and follow guidance outlined in OPM’s Guide for the Collection and Management of Training Information regarding which training events should be documented as training and reported to OPM; developing policies to strengthen the utilization of Standard Form-182 to document and report training costs; encouraging agencies through guidance and technical assistance, to develop policies that require consistent reporting of training data to their learning management systems; and encouraging each agency to assess its existing training information system(s) and identify whether it is providing complete and reliable data and, if not, to develop approaches to improve the system(s), in order to do so. | Corrective actions have been completed and are being reported to GAO to address the recommendation. |
| Provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. | OPM concurs with this recommendation to provide software license management training addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. The agency is developing software asset management procedures that will include both required and optional training curricula for appropriate personnel. OPM will finalize training processes and comprehensive documentation following completion of technology process changes currently underway. This action aligns with the MEGABYTE Act of 2016 (Pub. L. No. 114-210, 130 Stat. 824), which codified software license management requirements for executive agencies. |
| PR: Director of OPM, working through the Chief Human Capital Officer Council, and in conjunction with key stakeholders such as the Office of Management and Budget, unions, and others, should use prior studies and lessons learned from demonstration projects and alternative systems to examine ways to make the GS system's design and implementation more consistent with the attributes of a modern, effective classification system. To the extent warranted, develop a legislative proposal for congressional consideration. | Corrective actions are in progress to address the recommendation. |
| Provide updated and specific guidance to payroll service providers on which activities to report, or not to report, to the paid administrative leave data element in EHRI. | GAO has marked this recommendation partially addressed pending a review of payroll service providers’ use of OPM’s updated guidance. |
| PR: To help strengthen the government's ability to compete in the labor market for top talent, and to improve the federal hiring process, the Director of OPM, in conjunction with the CHCO Council, should use this information to determine whether opportunities exist to refine, consolidate, eliminate, or expand agency-specific authorities to other agencies and implement changes where OPM is authorized, including seeking presidential authorization (as necessary) in order to do so. In cases where legislation would be necessary to implement changes, OPM should work with the CHCO Council to develop legislative proposals. GAO previously noted that this recommendation may necessitate a longer term effort to address, given that OPM would likely need to use its completed, ongoing, and planned studies on specific hiring authorities from recommendation 1 to determine whether opportunities exist to refine, consolidate, eliminate, or expand access to authorities. As of 8/15/2017, this is still the case. |
Corrective actions are in progress to address the recommendation. |
| PR: To support its strategic and open data goals, the Director of OPM should improve the availability of the EHRI payroll data--for example, by preparing the data for analytics, making them available through online tools such as FedScope, and including them among the EHRI data sources on the OPM website and Data.gov. | OPM concurs with this recommendation to improve the availability of EHRI payroll data through online analytics tools such as Federal Workforce Data (formerly FedScope) and inclusion among EHRI data sources on the OPM website and Data.gov. In June 2024, the agency developed an implementation plan targeting public publication of EHRI payroll data by Q4 FY 2026. However, workforce reductions within the Data Systems Management and Modernization component in FY 2025 have required restructure planning that impacts original implementation timelines. OPM is currently assessing resource requirements and organizational capacity following restructuring. The agency remains committed to supporting its strategic and open data goals by making EHRI payroll data accessible for analytics and decision-making and will provide updated target dates for public availability once restructuring is complete. |
| PR: To integrate the payroll data into the larger suite of EHRI databases, the Director of OPM should evaluate existing internal control activities and develop new control activities for EHRI payroll data, such as implementing transactional edit checks that leverage the information in the other EHRI datasets. | OPM concurs with this recommendation to integrate payroll data into the larger suite of EHRI databases by evaluating existing internal control activities and developing new control activities for EHRI payroll data. The agency has implemented nearly 250 new validation edits for EHRI payroll data. In June 2024, OPM developed an updated plan with a schedule for implementing relational and cross-relational edits for EHRI payroll data by Q4 FY 2025, including leveraging information from other EHRI datasets. However, workforce reductions within the Data Systems Management and Modernization component in FY 2025 have required restructure planning that impacts implementation timelines. The agency is currently conducting restructure planning and will provide updated target dates for completing control activities once resource assessments are finalized. OPM remains committed to improving EHRI data quality and integration across datasets. |
| To address demonstrated noncompliance with section 15(k) of the Small Business Act, as amended, the Director of the Office of Personnel Management should comply with sections 15(k)(2), (k)(8), and (k)(17) or report to Congress on why the agency has not complied, including seeking any statutory flexibilities or exceptions believed appropriate. | OPM is developing corrective actions to address compliance with sections 15(k)(2), (k)(8), and (k)(17) of the Small Business Act, as amended. The agency is evaluating reporting requirements and will either come into compliance or report to Congress on why the agency has not complied, including seeking any statutory flexibilities or exceptions believed appropriate. |
| The Director of OPM should ensure that the CIO of OPM updates the agency’s policy and process for the CIO’s certification of major IT investments’ adequate use of incremental development, in accordance with OMB’s guidance on the implementation of FITARA, and confirm that it includes a description of the CIO’s role in the certification process and a description of how CIO certification will be documented. | OPM concurs with this recommendation to update the agency's policy and process for the CIO's certification of major IT investments' adequate use of incremental development, in accordance with OMB's guidance on FITARA implementation. The agency is incorporating incremental development guidance into its revised IT Portfolio Management policy. However, implementation has been delayed due to competing priorities. OPM is drafting an IT Portfolio Management Guide that will provide detailed information regarding the CIO's role in the certification process and how CIO certification will be documented. The agency will provide updated timelines for completion of both the policy and guide. |
| PR: The Director of OPM, after consultation with the CHCO Council, should provide guidance to agencies to enhance the training received by managers/supervisors and human capital staff to ensure that they have the guidance and technical assistance they need to effectively address misconduct and maximize the productivity of their workforces. | Corrective actions have been completed and are being reported to GAO to address the recommendation. |
| PR: The Director of OPM, in consultation with the CHCO Council, should develop and implement a mechanism for agencies to routinely and independently share promising practices and lessons learned, such as through allowing agencies to post such information on OPM’s Performance Management portal. | Corrective actions have been completed and are being reported to GAO to address the recommendation. |
| PR: The Director of OPM, in consultation with the CHCO Council, should develop a strategic approach for identifying and sharing emerging research and innovations in performance management. | Corrective actions have been completed and are being reported to GAO to address the recommendation. |
| The Associate Director of OPM's Retirement Services should develop and implement policies and procedures for assessing strategies intended to improve processing times, including collecting and improving data needed to support those strategies, such as collecting better productivity data or staffing data and linking them to processing outcomes. | OPM partially concurs with this recommendation to develop and implement policies and procedures for assessing strategies intended to improve processing times. The agency uses multiple strategies to improve claim processing times, including overtime, special project teams, and resource reallocation based on workload levels. In May 2024, OPM implemented a weekly production report to prioritize workloads and monitor workload levels to shift resources as needed. In FY 2025, OPM implemented the Digital File System (DFS), which complements prior reporting approaches by providing enhanced capability to monitor internal retirement processing. DFS enables real-time visibility into retirement applications, including retirement type, processing stage (intake, development, review, and adjudication), the responsible business unit, and assigned staff. DFS also allows OPM to track updates, measure time spent in each processing stage, and monitor movement into pay status, including the transition from interim pay to final adjudication. With the full implementation of the Online Retirement Application (ORA) for submitting digital retirement packages across all federal agencies, integrated with internal reporting within DFS, OPM will have the operational data and visibility needed to assess processing strategies and their impact on processing times. OPM expects this capability to support full implementation of this recommendation |
| PR: The Director of the Office of Personnel Management should ensure that the agency fully implements each of the eight key IT workforce planning activities it did not fully implement. GAO Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. |
OPM concurs with this recommendation to fully implement eight key IT workforce planning activities. The agency has implemented six of the eight activities: developing competency and staffing requirements; assessing gaps in competencies and staffing; developing strategies and plans to address gaps; implementing activities that address gaps; monitoring progress in addressing gaps; and reporting to agency leadership on progress. In March 2025, OPM reported that it expects to approve or finalize its IT workforce plan by Q3 FY 2025, complete competency assessments by Q4 FY 2025, and complete the related analysis by Q2 FY 2026. Completing these actions to address the two remaining workforce planning activities will provide OPM greater assurance that it has IT staff with the necessary knowledge, skills, and abilities to support its mission and goals. |
| The Director of the Office of Personnel Management should establish a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements. | OPM concurs with this recommendation to establish a timeframe for developing an inventory of electronic information systems used to store agency records that includes all required elements. In October 2025, the agency began the process of digitizing its permanent and temporary records and has established a timeframe for developing an agency inventory of electronic systems. OPM will provide documentation of the inventory development schedule and completion timeline. |
| The Director of the Office of Personnel Management should establish a time frame to update its policies and procedures to include all of the required electronic information system functionalities for recordkeeping systems. | OPM concurs with this recommendation to establish a timeframe to update policies and procedures to include all required electronic information system functionalities for recordkeeping systems. In March 2022, the agency updated its records management policy to require that the Chief Information Officer (CIO) implement IT systems that provide records management and retention capabilities. This includes requiring that the CIO address records management and archival functions, provide guidance on the security of electronic records over the life of the records, and ensure that electronic records are properly stored as information systems are being planned. These policy updates address the required electronic information system functionalities for recordkeeping systems. |
| The Director of the Office of Personnel Management should establish a time frame to update the agency's policies and procedures on retention and management for email to include retaining electronic calendars and draft documents. | OPM concurs with this recommendation to establish a timeframe to update the agency's policies and procedures on retention and management for email to include retaining electronic calendars and draft documents. The agency provided copies of its records management policy and electronic mail usage and maintenance policy in March 2022. However, these documents do not currently include retention and management requirements related to electronic calendars and draft documents. OPM is updating its policies and procedures to incorporate these requirements and will provide a timeframe for completion. |
| The Acting Director of the Office of Personnel Management should use OPM's oversight authority to monitor career SES reassignments to ensure that federal agencies meet requirements contained in statute or regulation, and follow OPM's related guidance. In situations where OPM finds that an agency has taken a career SES reassignment action contrary to these requirements, it should use its authority to require the agency to take corrective action, as appropriate. | OPM does not concur with this recommendation and does not plan to take corrective action. |
| The Director of OPM should establish a process and update its guidance to obtain complete and accurate data about the number of non-federal mobility program participants on detail to federal agencies. | OPM does not concur with this recommendation and does not plan to take corrective action. |
| The Director of OPM should establish a time frame for updating the agency’s policy for creating, reviewing, and publishing system of records notices, and make these updates. | OPM partially concurs with this recommendation to establish a timeframe for updating the agency's policy for creating, reviewing, and publishing system of records notices (SORN). While the agency has a process for SORNs and adheres to the requirements of the Privacy Act of 1974 and OMB Circular A-108 in publishing new or updated SORNs, OPM acknowledges that it may benefit from an updated policy regarding the SORN process. In January 2024, the agency committed to reviewing the current SORN process and policy documentation by the end of Q2 FY 2024, as operational priorities and resources permit. The OPM privacy program will put a policy in place to address this recommendation by the end of FY 2026. |
| The Director of OPM should fully define and document a policy and process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. | OPM did not concur with this recommendation, noting that it has processes in place for the senior agency official for privacy's involvement in workforce planning. In particular, the agency described steps it has taken in this area, including developing a memo in 2020 outlining strategic workforce needs for the Office of Privacy and Information Management. However, OPM has not formalized the role of the SAOP in addressing hiring, training, and professional development needs with respect to privacy, helping to ensure the privacy program's ability to advocate for the skilled and qualified staff it needs on an ongoing basis. Accordingly, we believe our recommendation continues to be warranted. In January 2024, OPM stated that it will consider formally documenting the SAOP's role in hiring, training, and professional development by the end of fiscal year 2024 as priorities and resources allow. However, the previous office that handled the privacy program has experienced a complete turnover. The new privacy program will document the SAOP’s role in hiring and training for the program by the end of FY26. |
| The Director of OPM should incorporate privacy into an organization wide risk management strategy that includes a determination of risk tolerance. | OPM does not concur with this recommendation to fully define and document a policy and process for ensuring that the senior agency official for privacy is involved in assessing and addressing hiring, training, and professional development needs with respect to privacy. The agency has processes in place for the senior agency official for privacy's involvement in workforce planning, including a 2020 memo outlining strategic workforce needs for the Office of Privacy and Information Management. However, OPM has not formalized the role of the SAOP in addressing hiring, training, and professional development needs with respect to privacy. In January 2024, the agency stated it will consider formally documenting the SAOP's role in hiring, training, and professional development by the end of FY 2024 as priorities and resources allow. OPM will provide an update on this consideration. |
| The Director of OPM should fully develop and document a continuous privacy monitoring strategy. | OPM partially concurs with this recommendation to fully develop and document a privacy continuous monitoring strategy. The agency's privacy and security programs work collaboratively to implement revision 5 of the National Institute of Standards and Technology's Special Publication 800-53. The privacy program will put documentation in place reflecting its privacy continuous monitoring strategy by the end of FY2026.The agency will provide documentation of the privacy continuous monitoring strategy once evaluation is complete. |
| The Director of OPM should implement a monitoring mechanism to ensure employing offices and carriers are verifying family member eligibility as required by OPM's 2021 guidance. | OPM concurs with this recommendation to implement a monitoring mechanism to ensure employing offices and carriers are verifying family member eligibility as required by OPM's 2021 guidance. The FEHB Protection Act of 2025 (FPA) requires OPM to strengthen eligibility verification and oversight of the FEHB Program. OPM is directed to issue regulations and implement verification processes by July 4, 2026, conduct a comprehensive family member eligibility audit between July 4, 2026 - July 4, 2029, and establish a process for removal of ineligible individuals (completed in December, 2025 per statutory deadline). |
| The Director of OPM should implement a monitoring mechanism to identify and remove ineligible family members from the FEHB program. | OPM concurs with this recommendation to implement a monitoring mechanism to identify and remove ineligible family members from the FEHB program. In July 2025, Congress enacted The FEHB Protection Act (H.R.1, Sec. 90101), which requires OPM to identify and remove ineligible family members from the FEHB program. The agency is implementing the Act's requirements to conduct the first comprehensive audit to verify the eligibility of family members covered under the FEHB and PSHB Programs. This action represents an important step in identifying ineligible family members, with potential net savings of more than $2 billion over ten years, according to the Congressional Budget Office. |
| PR: The Director of OPM should establish an action plan to address OPM's skills gaps identified in the workforce assessment, either as an update to its HCOP or a separate effort. | OPM concurs with this recommendation to establish an action plan to address OPM's skills gaps identified in the workforce assessment, either as an update to its Human Capital Operating Plan (HCOP) or a separate effort. The agency has taken several actions to address skills gaps within its own workforce. To fully implement this recommendation, OPM is developing an action plan that includes a list of mission-critical occupations, identification of which occupations have skills gaps, and metrics to measure progress toward closing skills gaps. This action plan will help OPM improve its capacity to provide human capital services and guidance to agencies. The agency will provide the completed action plan and implementation timeline. |
| The Director of OPM should examine how the public information on political appointees OPM is mandated to provide under the PLUM Act can be used by agencies to better identify political appointees subject to OPM's pre-appointment reviews. | OPM concurs with this recommendation to examine how public information on political appointees provided under the PLUM Act can be used by agencies to better identify political appointees subject to OPM's pre-appointment reviews. In December 2023, the agency began implementing the requirements of the PLUM Act to provide information on political appointees through a publicly accessible web-based site. In March 2024, OPM released guidance stating that the PLUM reporting website would include historical data from January 20, 2021, including start and end dates of political appointees' appointments. As of March 2025, the PLUM reporting website (https://www.opm.gov/about-us/open-government/plum-reporting/) provides data on current political appointees as reported by agencies in 2024. The agency is working to add historical data on start and end dates of past appointments to allow agency human resources personnel to search and confirm historical incumbencies for applicants and potential selectees prior to appointment. This information should not be considered the sole source agencies use to identify whether a selection is subject to OPM's pre-appointment review. OPM will provide timelines for adding historical data to the PLUM website. |
| The Director of OPM should work with agencies to collect and disseminate information about the scope of its pre-appointment review authority, including information that identifies those agencies and positions that are not subject to OPM's authority. | OPM concurs with this recommendation to work with agencies to collect and disseminate information about the scope of its pre-appointment review authority, including information that identifies those agencies and positions that are not subject to OPM's authority. The agency continues to provide agencies updates through memoranda and briefings on OPM's pre/post-appointment review process and their related responsibilities. These briefings reinforce issued guidance, communicate key reminders, and provide updates about agencies and/or components not subject to OPM's pre-appointment review authority. In December 2024, OPM provided information about briefings conducted for agency officials regarding OPM's pre-appointment reviews. The briefing materials include information about categories of appointments not subject to OPM's review, including positions in the intelligence community. However, staffing constraints limit the agency's ability to undertake additional collection and dissemination efforts beyond current activities, such as issuance of letters to Congress and Chief Human Capital Officers identifying intelligence community positions falling outside OPM's review authority. |
| The Director of the Office of Personnel Management should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. | OPM concurs with this recommendation to ensure that the agency fully implements all event logging requirements as directed by OMB guidance. Corrective actions are in progress to address this recommendation. The agency will provide implementation timelines and documentation of completed event logging capabilities. |
| The Director of OPM should ensure that the agency (a) establishes or updates and improves an existing occupational series with AI-related positions; (b) establishes an estimated number of AI-related positions, by federal agency; and, based on the estimate, (c) prepares a 2-year and 5-year forecast of the number of federal employees in these positions, in accordance with federal law. | Corrective actions have been completed and are being reported to GAO to address the recommendation. |
| PR: The Director of the Office of Personnel Management, in coordination with the Director of the Defense Counterintelligence and Security Agency, should develop and implement a plan to ensure that current and future IT systems used for personnel vetting contain complete and accurate information required to make suitability, fitness, and credentialing reciprocity determinations. | OPM concurs with this recommendation to develop and implement a plan, in coordination with the Director of the Defense Counterintelligence and Security Agency (DCSA), to ensure that current and future IT systems used for personnel vetting contain complete and accurate information required to make suitability, fitness, and credentialing reciprocity determinations. DCSA, in coordination with OPM, has developed a plan to provide more complete and accurate information for reciprocity decisions by improving DISS JVS (Defense Information System for Security Joint Verification System) and migrating records from CVS (Central Verification System) into DISS JVS. This plan includes several elements: adding data fields to DISS JVS to address current information gaps; designing DISS JVS to force users to enter all required fields; adding capability for DISS JVS to integrate data from other IT systems or validate data accuracy; migrating existing records from CVS into DISS JVS with analysis to ensure records meet requirements; and examining agencies' existing CVS records to require agencies to update missing data fields. Components of this plan have varying implementation timelines. The eApp user interface is currently being integrated into DISS-JVS. OPM and DCSA plan to implement other components in FY 2025 and 2026, while some components do not yet have implementation dates. The agency is working with DCSA to implement all components of the plan and will provide updated timelines for completion. |
| The Director of the Office of Personnel Management should develop and implement supplemental policies to ensure that federal agencies consistently share information with other agencies attempting to grant suitability, fitness, and credentialing reciprocity. | OPM concurs with this recommendation to develop and implement supplemental policies to ensure that federal agencies consistently share information with other agencies attempting to grant suitability, fitness, and credentialing reciprocity. The agency is developing policies that promote timely information sharing among agencies by building on Trusted Workforce 2.0 policies that have emphasized information sharing. In October 2024, OPM referenced information sharing provisions in several Trusted Workforce 2.0 policies, including the PMIG (Personnel Management Information Guide) and the Federal Personnel Vetting Core Doctrine. While these provisions are constructive, the agency recognizes the need for supplemental policies to ensure consistent information sharing across agencies. OPM is developing additional guidance and will provide implementation timelines. |
| The Director of OPM should ensure that the agency consistently tracks software licenses that are currently in use for its widely used licenses by, at a minimum, consistently implementing its procedures for tracking license usage. | OPM concurs with this recommendation to ensure that the agency consistently tracks software licenses currently in use for its widely used licenses by consistently implementing its procedures for tracking license usage. To support alignment with business need and consistent tracking, OPM routinely reviews the cost and number of software and enterprise licenses, including at least annually and prior to contract renewal or recompete activities. The agency has established procedures for tracking license usage and is implementing these procedures consistently across widely used software licenses. |
| PR: The Director of OPM should ensure that the agency compares the inventories of software licenses that are currently in use with information on purchased licenses to identify opportunities to reduce costs and better inform investment decision making for its widely used licenses on a regular basis. At a minimum, it should consistently implement its procedures for comparing the inventories of licenses in use to purchase records. | OPM concurs with this recommendation to ensure that the agency compares inventories of software licenses currently in use with information on purchased licenses to identify opportunities to reduce costs and better inform investment decision-making. The agency reviews the cost and number of software licenses routinely, including at least annually and prior to contract renewal or recompete activities. OPM also reviews the number of software licenses and enterprise licenses for continuous reevaluation of business need. The agency is consistently implementing its procedures for comparing inventories of licenses in use to purchase records to identify cost reduction opportunities and inform investment decisions. |
| The Director of OPM should ensure that the CIO of OPM updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required element for SLAs: remediation plans for non-compliance. | OPM concurs with this recommendation to ensure that the CIO updates guidance to put a cloud service level agreement (SLA) in place with every vendor when a cloud solution is deployed, including language that addresses OMB's required element for SLAs regarding remediation plans for non-compliance. Corrective actions are in progress to address this recommendation. The agency is updating guidance to require cloud SLAs with all vendors and will include provisions for remediation plans when vendors fail to meet SLA requirements. OPM will provide updated guidance documentation and implementation timelines. |
| The Director of the Office of Personnel Management should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. |
OPM concurs with this recommendation to update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. In FY 2025, the agency completed the transfer of most procurement functions to the General Services Administration, as planned. This transfer addresses the recommendation by consolidating procurement expertise and ensuring consistent application of guidance on restrictive software licensing practices. The agency has completed this action. |
| The Director of the Office of Personnel Management should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. | OPM concurs with this recommendation to assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. In FY 2025, the agency completed the transfer of most procurement functions to the General Services Administration, as planned. This transfer addresses the recommendation by clearly assigning responsibility for identifying and managing restrictive software licensing practices. The agency has completed this action. |
| The Director of the Office of Personnel Management should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. | OPM concurs with this recommendation to direct its agency CIO to work with OMB to ensure that annual reviews of the IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. In May 2025, the OCIO submitted the draft OPM IT Portfolio Management policy for clearance. The policy indicates that the CIO will perform an annual IT portfolio review including representatives from the Office of the Director and OMB in conjunction with OPM's annual budget request submission to ensure consideration of the best mix of proposed and continuing IT investments during budget formulation. The OCIO will schedule an annual IT portfolio review in preparation for the Budget Year 2028 IT submission. The agency will provide the final policy and documentation of portfolio review completion. |
| The Director of the Office of Personnel Management should direct its agency CIO to ensure they conduct a review in conjunction with the investment’s program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). | OPM concurs with this recommendation to direct its agency CIO to ensure reviews are conducted in conjunction with the investment's program manager and in consultation with the Federal CIO for major IT investments designated as high risk for four consecutive quarters, as prescribed by FITARA. In May 2025, the agency reported that it continues to review major IT investments' cost, schedule, performance, and cybersecurity risks per FITARA's requirements. The OCIO is revising the OPM’s CIO Risk Rating evaluation criteria to enhance OMB's requirements. The revised criteria will consider evidence-based input from IT investment owners and managers to enhance risk assessment of the IT investment's ability to accomplish its goals, including identifying root causes of high risk, the extent to which causes can be addressed with action items and due dates, and the probability of future success with expected outcomes. The agency will provide updated evaluation criteria and documentation of high-risk investment reviews. |
| The Director of the Office of Personnel Management should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. | OPM concurs with this recommendation to establish a plan and timeframe for completing the covered IoT inventory, as directed by OMB. In May 2025, the agency developed an initial project plan confirming timeframes and resources to complete the covered IoT inventory. OPM is evaluating options for IoT inventory management. The agency will provide a target completion date once resource requirements are finalized. |
| The Director of OPM should develop and implement a plan to collect and assess the evidence OPM needs to identify factors impacting hiring trends of existing Pathways Programs. | Corrective actions are in progress to address the recommendation. |
| The Director of OPM should develop and implement a plan to collect and evaluate feedback data from Pathways participants on their satisfaction with existing Pathways Programs. | Corrective actions are in progress to address the recommendation. |
| The Director of OPM should develop and implement a process for collecting and sharing lessons-learned associated with recruitment and outreach for existing Pathways Programs. | Corrective actions are in progress to address the recommendation. |
| The Director of OPM should clarify, as expeditiously as possible, which entity will serve as the dedicated entity for leading fraud risk management activities. |
OPM concurs with this recommendation to clarify which entity will serve as the dedicated entity for leading fraud risk management activities. Corrective actions are in progress to address this recommendation. The agency is evaluating organizational options and will document the designated entity's responsibilities. OPM will provide clarification and implementation timelines. |
| The Director of OPM should document the responsibilities of its antifraud entity, as distinct from its ERM responsibilities, to include the responsibility for serving as a repository of knowledge on fraud risk and controls; managing the fraud risk-assessment process; leading or assisting with trainings and other fraud-awareness activities; and coordinating antifraud initiatives across the program. | Corrective actions are in progress to address the recommendation. |
| The Director of OPM should design and conduct a robust fraud risk assessment that will identify the inherent fraud risks facing the FEHB program. |
Corrective actions are in progress to address the recommendation. |
| The Director of OPM should develop and maintain documentation of its fraud risk assessments. | Corrective actions are in progress to address the recommendation. |
| The Director of OPM should ensure that it documents the results of its assessment of inherent fraud risks facing the FEHB program on its fraud risk profile. | Corrective actions are in progress to address the recommendation. |
| The Director of OPM should involve relevant stakeholders—including OPM’s OIG and health insurance carriers -by including their participation in its fraud risk assessment process. | Corrective actions are in progress to address the recommendation. |