What GAO Found The Department of Defense (DOD) uses three key processes to determine service member cost-of-living allowances (COLA), with separate programs for service members living in the continental U.S. (CONUS) and outside the continental U.S. (OCONUS). These processes include data on military household spending from the Department of Labor’s Bureau of Labor Statistics, location-specific surveys of shopping patterns, and retail price data for the goods and services that service members typically buy. DOD uses these processes to develop comparative prices for locations where it stations service members. DOD uses average CONUS prices as a baseline for determining eligibility for COLA. Using these processes, DOD determines a COLA rate for each eligible location. Payments to service members in these locations vary based on their spendable income and number of dependents. The department also tracks foreign currency fluctuations relative to the dollar to help determine COLA payments in OCONUS locations. DOD’s Process for Determining COLA Rates, Calendar Year 2024 DOD’s processes for determining COLA rates CONUS and OCONUS have several weaknesses. Additionally, information about COLA rates can be better communicated to service members. Specifically: DOD’s survey for determining service members’ shopping patterns does not use sound sampling practices. DOD does not consistently use existing processes to capture location-specific expenses. DOD has inconsistent processes for determining dependent-based COLA compensation in CONUS and OCONUS. DOD posts information about COLA on a publicly available website, but there are inconsistencies in the amount and type of information local commands provide to service members at locations that receive COLA. Further, some service members told GAO that they did not understand their COLA payments. Taking action to address these issues will help ensure service members are appropriately compensated, which will support their quality of life and their ability to meet mission needs. Why GAO Did This Study DOD assigns its 1.4 million active-duty service members to over 3,500 locations worldwide. DOD provides a COLA to assist service members with nonhousing expenses, such as food, in high cost areas. The conference report accompanying the National Defense Authorization Act for Fiscal Year 2024 includes a provision for GAO to examine DOD’s COLA programs. This report (1) describes the processes DOD uses to determine COLA and payments for service members; and (2) examines the extent to which DOD’s COLA processes are appropriately designed and communicated. GAO analyzed laws, regulations, policies, and COLA rates. GAO interviewed officials responsible for the COLA program and held discussion groups with service members in five locations in Hawaii, Japan, Alaska, Germany, and Virginia. Most of the site visits GAO held were at OCONUS locations because 97 percent of the COLA payments are OCONUS.

What GAO Found When activities impact wetlands, streams, or other waters of the U.S., the U.S. Army Corps of Engineers can require compensatory mitigation activities—such as removing invasive species from wetlands. GAO reviewed Corps oversight of compensatory mitigation activities and found that the three districts it selected had generally improved the frequency of oversight activities, compared with Corps districts selected for a 2005 GAO report. Specifically, the three selected districts’ mitigation files generally included at least one monitoring report, and the three districts improved the degree to which they are performing compliance inspections compared to the districts in the 2005 report. In both 2026 and 2005, GAO found that the Corps (1) can take a variety of enforcement actions if required compensatory mitigation is not performed and (2) relies primarily on negotiation with those responsible for the mitigation as a first step in the enforcement process. Corps Role in Oversight of Compensatory Mitigation While selected Corps districts generally have improved the frequency of oversight activities, districts have taken inconsistent approaches to implementing certain compensatory mitigation requirements in mitigation plans required by Corps regulations. For example, nearly all of the district files GAO reviewed addressed financial assurances—a required part of mitigation plans—which are used to ensure sufficient funding is available to correct or complete a project if the responsible party does not do so. But a number of files lacked sufficient information to support how assurances were established. District officials told GAO that additional guidance from headquarters would help them implement mitigation requirements. Without consistent implementation of the requirements, the Corps cannot ensure that its oversight of mitigation projects will achieve intended environmental outcomes across districts. Why GAO Did This Study Some activities that impact certain wetlands, streams, and other aquatic resources require a Clean Water Act section 404 permit from the Corps. For unavoidable adverse impacts, compensatory mitigation may be required to replace aquatic resource functions. Permittees may perform the work themselves or pay a sponsor to complete the work and assume responsibility for the mitigation project. Congress included a provision in the Water Resources Development Act of 2022 for GAO to review compensatory mitigation activities. This report reviews (1) the extent to which selected Corps districts conduct compensatory mitigation oversight and enforcement activities and (2) guidance the Corps developed for overseeing this mitigation, and how the guidance can be improved. GAO identified and reviewed a sample of 85 files from three selected Corps districts. GAO randomly selected a sample from files that met certain criteria, such as permits issued from fiscal year 2017 through fiscal year 2022. GAO also interviewed agency officials from headquarters and the three districts.

What GAO Found Following the COVID-19 pandemic, the airline industry faced challenges filling pilot vacancies, which network and low-cost airlines addressed by hiring from regional airlines, according to the Federal Aviation Administration (FAA). Those regional pilots’ departures contributed to reductions in regional airline service to small communities, according to selected stakeholders. For example, one network airline told GAO that in 2022 it had to withdraw regional air service from 29 airports, many of which serve small communities. Several trends—like increased airline operating costs and travelers driving to their destination or to a larger airport—have also contributed to the decrease in regional air service to small airports and communities over the last 20 years, according to GAO’s prior work. Data and selected stakeholders indicate that pilot supply has been rebounding in recent years. From 2017 through 2024, for example, pilot certifications grew about 10 percent, with most of the increase starting in 2021. In 2024, pilot hiring slowed at the network and low-cost airlines, in part due to aircraft delivery delays, according to selected stakeholders. This hiring slowdown may have allowed regional airlines to retain pilots and move toward pre-pandemic staffing levels. In addition, regional airlines significantly increased pay to attract and retain pilots, raising the average hourly rate for a first-year first officer from about $52 an hour in 2021 to about $93 an hour in 2024. To help strengthen the pilot pipeline, the FAA Reauthorization Act of 2024 required FAA to take action on two pilot training initiatives by November 2024. Enhanced Qualification Program (EQP). Requires FAA to establish requirements so that qualified air carriers, among others, may provide enhanced training based on a nationally standardized curriculum that includes instruction on airline operations and procedures for eligible pilots seeking a restricted-privileges airline transport pilot certificate. Nationwide office for Designated Pilot Examiners (DPE). Requires FAA to establish a nationwide oversight office and to submit reports to congressional committees evaluating the use of DPEs—experienced pilots designated by the FAA to conduct tests with student pilots. Industry stakeholders told GAO that progress on both initiatives could expedite pilot training. In February 2026, FAA officials told GAO the agency has established EQP requirements internally and set up the DPE national oversight office and has begun oversight. FAA officials said that additional time is needed to complete internal processes before issuing the EQP requirements and the DPE report and that no timelines have been established for issuing either. Establishing and publicly communicating the timelines for issuing the EQP and DPE products would inform external stakeholders—including Congress—of FAA’s plans for meeting the requirements in the FAA Reauthorization Act. Having this timeline information would also help industry stakeholders, such as aviation schools, prepare to support these initiatives and enhance FAA transparency and accountability. Why GAO Did This Study Commercial airline pilots, including regional airline pilots, play a crucial role in facilitating economic activity by ensuring safe and efficient air travel. As in many other highly specialized fields, becoming a commercial airline pilot takes years of training and experience. The FAA Reauthorization Act of 2024 includes a provision for GAO to review the supply of regional airline pilots. This report examines (1) how pilot supply and other factors affected regional airline service during the post-pandemic recovery, according to selected stakeholders; and (2) what the available data and stakeholders indicate about the current and future supply of regional airline pilots. GAO analyzed FAA pilot certification data, Department of Transportation data on regional pilot employment, and data from the Air Line Pilots Association on hourly pay rates for first-year regional airline pilots. GAO interviewed FAA officials to obtain perspectives on pilot supply and agency actions. GAO also interviewed representatives from a nongeneralizable sample of 29 aviation stakeholders, such as network and regional airlines, collegiate aviation schools, and industry associations.

What GAO Found During GAO’s audits of the Internal Revenue Service’s (IRS) fiscal year 2025 financial statements and of its internal control over financial reporting as of September 30, 2025, GAO identified five new deficiencies in internal control over financial reporting. Four of these new deficiencies are sensitive in nature and related to information systems, consisting of three access control deficiencies and one security management control deficiency. The remaining new deficiency was not sensitive in nature and related to IRS’s nonproduction costs, which are part of the financial reporting transaction cycle. This report presents detailed information on the new financial reporting transaction cycle control deficiency and associated recommendation. The separately issued LIMITED OFFICIAL USE ONLY report presents detailed information on the new information system control deficiencies and four recommendations to address them. In addition, GAO determined that IRS had completed corrective actions for 14 of 30 recommendations from GAO’s prior reports related to internal control over financial reporting that were open as of September 30, 2024. IRS’s actions addressed four transaction cycle recommendations, one safeguarding assets recommendation, and nine information system recommendations. This report provides the status of eight previously reported recommendations that are nonsensitive in nature and IRS’s actions to address them as of September 30, 2025. The LIMITED OFFICIAL USE ONLY report contains the status of the 30 previously reported sensitive and nonsensitive recommendations and IRS’s actions to address them as of September 30, 2025. As of September 30, 2025, IRS has 21 open GAO recommendations related to internal control over financial reporting to address three transaction cycle recommendations (including one that is new), one safeguarding assets recommendation, and 17 information system recommendations (including four that are new). The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to and modification of data and programs, disclosure of sensitive data, and disruption of critical operations. The new and continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements. Why GAO Did This Study GAO annually audits IRS’s financial statements and its internal control over financial reporting, including information system controls. This report presents the new deficiencies in internal control over financial reporting identified during GAO’s audits. This report also includes the results of GAO’s fiscal year 2025 follow-up on IRS’s corrective actions to address recommendations contained in GAO’s prior reports related to internal control over financial reporting that were open as of September 30, 2024.

What GAO Found Hydrogen energy technologies offer long-duration energy storage, increased transportation efficiencies, quiet operation, reduced air polluting emissions, and potentially broad availability. For example, hydrogen fuel cell power generation technologies could provide quiet, clean backup power to data centers and other large-scale operations during power outages. These generation technologies could increase overall electricity grid security by providing long-duration energy storage. Currently, hydrogen fuel cells provide about 0.03 percent of utility-scale electricity generation. Current and potential hydrogen energy technologies However, hydrogen energy technologies have not been widely adopted because of hydrogen’s relatively high cost and limited market. Additionally, GAO identified four technical challenges to widespread use: Efficiency and safety. Hydrogen’s physical characteristics make it particulary susceptible to efficiency losses, leakage, and emergency response risks. Infrastructure. Transport and storage infrastructure is generally lacking or confined to certain regions of the U.S., and existing natural gas pipeline infrastructure might not be suitable for hydrogen. Geography. Geographic constraints can increase transport and storage costs for hydrogen users. Regulation and permitting. Unclear federal jurisdiction and lack of standards can slow down projects. Since the 1950s, the U.S. has made periodic investments in hydrogen as a potential power source and transportation fuel. Relevant past legislation cited goals such as energy security and resilience, market competitiveness, and prioritizing use of lower-emission energy technologies. GAO offers seven options that policymakers could consider to advance these goals and address challenges to hydrogen energy use. GAO formulated these options for five policy goals, identified through a review of historical congressional legislation related to hydrogen energy. See tables 1–5 in this report for additional policy options and details. Policy Goals and Policy Options for Hydrogen Energy Technologies Policy goal: Energy security and resilience.   Policy options (report p. 21) Identify energy system vulnerabilities and deploy solutions Identify and address infrastructure needs Develop or clarify regulations, standards, and oversight purview Support research and development (R&D)   Opportunities Could diversify the energy system and improve its resiliency. Could make hydrogen more readily available as a tool to build resilience by producing energy independent of existing electricity grid infrastructure Considerations May reduce staff and financial resources for more cost effective or mature energy technologies that may provide similar benefits. Policy goal: U.S. hydrogen market competitiveness.     Policy options (report p. 22) Implement market-stimulating mechanisms Develop or clarify regulations, standards, and oversight purview Support R&D Evaluate hydrogen energy deployment and utility Opportunities Could help bridge the gap between the higher cost of hydrogen and the price customers are willing to pay Considerations There may not be sufficient or available transport and storage methods to support increased supply and demand. Policy goal: Low-carbon energy transition.   Policy options (report p. 24) Implement market-stimulating mechanisms Identify and address infrastructure needs Develop or clarify regulations, standards, and oversight purview Support R&D Evaluate hydrogen energy deployment and utility Support collaboration and consortia   Opportunities Could help bridge the gap between the higher cost of low carbon hydrogen and the price customers are willing to pay. Could reduce supply chain infrastructure limitations. Could help identify whether, where, and when to use specific technologies. Considerations May reduce staff and financial resources for other policy goals. Resource- or time-intensive regulations or permitting requirements could hinder adoption of hydrogen energy technologies. Policy goal: Prioritize technologies with near-term potential.   Policy options (report p. 27) Implement market-stimulating mechanisms Support R&D Evaluate hydrogen energy deployment and utility   Opportunities Could streamline R&D for technologies on the cusp of commercialization Considerations The most mature technologies may not be competitive in global markets or may not have many utilization opportunities. Policy goal: Research, development, and innovation.   Policy options (report p. 28) Support R&D Evaluate hydrogen deployment and utility Support collaboration and consortia   Opportunities Could enable scientific and technological developments and advancements for hydrogen energy and the larger scientific community. Considerations There is no guarantee that additional R&D will result in technology deployment. Source: GAO. | GAO-26-107932 Why GAO Did This Study Hydrogen is a versatile chemical with many potential uses, including vehicle fuel cells, aviation fuel, and power generation. For decades, interest in hydrogen energy technologies to augment or replace diesel, natural gas, and electricity has garnered billions of dollars in research and development. The U.S. could produce hydrogen in vast quantities from domestically abundant resources. However, hydrogen energy is generally more costly than alternatives and infrastructure is lacking, so whether it will replace incumbent technologies is unclear. This report examines: (1) current and emerging technologies for hydrogen production, transport, storage, and use; (2) potential benefits and challenges to developing or using these technologies; and (3) possible policy options. To conduct this technology assessment, GAO searched the relevant literature; reviewed documents and reports; interviewed stakeholders from government, industry, academia, and nonprofits; conducted site visits; attended a conference; and convened a 3-day meeting of 18 experts from government agencies, industry, academia, and federally funded research and development centers. GAO is identifying policy options in this report. For more information, contact Karen L. Howard, PhD at HowardK@gao.gov.

What GAO Found Across 11 selected UN capital projects that were completed or in progress from December 31, 2014, through December 31, 2024, seven projects were within budget and three were on schedule. For the projects that experienced budget increases and schedule delays, GAO found that multiple factors contributed to the increases and delays. For example, as of May 2025, the Strategic Heritage Plan project (SHP) was 10 percent over budget and 4 years behind schedule. COVID-19 reduced the number of workers who could be on site, causing schedule delays, and challenges coordinating construction work with contractors slowed progress, according to SHP officials. However, the Gigiri Master Plan, located in Nairobi, Kenya, is on budget and on schedule, in part because of effective project monitoring and reporting, with construction expected to be completed in 2029. Coordinating U.S. oversight of UN capital projects is a Department of State responsibility. State’s Bureau of International Organization Affairs (IO) monitors UN capital projects through mechanisms including reviewing reports, attending meetings, and engaging with UN officials. However, GAO found that opportunities exist for State to strengthen its oversight of projects. For example, State IO officials do not systematically monitor key indicators (e.g., budget and schedule) and do not have guidance that identifies indicators, triggers, or steps for taking action to address issues with capital projects. Establishing such guidance could provide a useful tool for fulfilling oversight responsibilities and could help minimize budget or schedule overruns. To help mitigate risks, UN officials identified lessons learned, including through collaboration between project officials and on-the-job experience, and applied them to capital projects. These lessons help projects avoid design complications, increased costs, and schedule delays. They also help strengthen governance and support business continuity through use of swing space (see below). For example, the Gigiri Master Plan and other projects created steering committees to strengthen their governance structures by informing, advising, and constructively challenging the project director. Temporary UN Workspaces Support Continued Operations During Construction Why GAO Did This Study In the past 10 years, the UN has undertaken several significant capital projects, collectively valued at more than $4 billion, with the aim of bringing its workspaces up to modern usability, safety, security, and environmental standards. In 2023, the U.S. was the largest financial contributor to the UN. State, the lead U.S. agency on foreign affairs, advances U.S. interests at the UN. A House Committee Report includes a provision for GAO to review UN capital projects with a total budget of $25 million or more in the past 10 years. This report examines factors that have contributed to changes in budget and schedule for selected UN capital projects, how State monitors the progress of projects, and lessons learned, among other objectives. To address these objectives, GAO selected 11 UN capital projects with budgets of over $25 million that were either completed or ongoing in the period from December 31, 2014, through December 31, 2024. GAO analyzed UN documents, reports, and guidance related to budget, schedule, fraud mitigation, and lessons learned. GAO also interviewed State and UN officials and relevant contractors. Additionally, GAO conducted field visits and met with officials at UN headquarters in New York and at project sites in Geneva.

What GAO Found Limitations in control activities allowed potentially ineligible providers to participate in the Federal Employees Health Benefits (FEHB) program. The Office of Personnel Management (OPM) and its Office of the Inspector General (OIG) have a variety of control activities for identifying ineligible providers. However, GAO found limitations in these control activities. GAO’s data analyses identified FEHB claims from approximately 400 providers who were deceased and over 2,000 additional claims from providers who were excluded from federal programs. While such claims are a small proportion of annual FEHB claims, they represent a risk the agency could mitigate. Taking additional steps to identify providers who are deceased or excluded from other federal programs would help OPM and OPM OIG prevent fraud and improper payments in the FEHB program. For example, comparing death data with FEHB claims could help prevent improper payments or fraud in FEHB claims payments. Selected FEHB carriers do not always comply with requirements for identifying and excluding suspended or debarred providers. GAO found that selected FEHB carriers—which operate health benefit plans—do not always notify patients that their providers are suspended or debarred, as required. Carriers also did not notify OPM OIG when providers may warrant suspension or debarment, as required by OPM OIG policy. Clarifying requirements would help OPM and OPM OIG ensure that patients are not exposed to risks related to suspended or debarred providers. Why GAO Did This Study The FEHB program is the largest employer-sponsored health insurance program in the United Sates. OPM is responsible for managing fraud and improper payment risks in the FEHB program, including risks associated with ineligible health care providers. Ineligible providers can increase costs and may pose safety risks to patients. GAO was asked to review OPM’s efforts to manage provider-related fraud risks in the FEHB program. This report examines the extent to which (1) program control activities allow potentially ineligible providers to participate in the FEHB program; and (2) selected FEHB carriers comply with requirements for identifying and excluding suspended or debarred providers, among other objectives. GAO performed analyses comparing FEHB claims data with various data sets indicating that providers may be ineligible, such as data on deceased providers or providers excluded from other federal programs. GAO also reviewed documents and interviewed officials from OPM, OPM OIG, and FEHB carriers. GAO compared this information with applicable regulations, guidelines, and federal standards for internal control.

What GAO Found The National Labor Relations Board (NLRB) administers and enforces the National Labor Relations Act. The Act encourages the practice of collective bargaining, protects the rights of employees in this area, and seeks to eliminate unfair labor practices. To do so, the Board relies on a host of IT systems to carry out its functions, including seven human resources systems. According to NLRB officials, the United States DOGE Service (USDS) (formerly known as the United States Digital Service and now commonly referred to as DOGE) first contacted them on April 15, 2025. Subsequently, USDS staff met with NLRB’s Chairman, Acting General Counsel, and other senior Board leaders on April 16, 2025. That same day, NLRB entered into agreements for two General Services Administration employees to be detailed to NLRB as DOGE team staff. The agreements expired on July 25, 2025. The DOGE team requested access to NLRB systems but did not use them. Specifically, both DOGE team staff requested access to all seven of the Board’s human resources systems. Board staff then (1) fulfilled two of those access requests but (2) did not fulfill the other five. Specifically: Two fulfilled requests. According to NLRB officials, the Board created accounts on April 24, 2025, for both team members that addressed two of the seven requests for system access. However, DOGE team staff did not use the accounts to enter the systems. Specifically, as of July 25, 2025, the team staff had not picked up their NLRB laptops or activated their system accounts, according to Board officials. Accordingly, NLRB disabled the system accounts shortly after the agreements with team staff expired. Five requests that were not fulfilled. Requests for access to the remaining five systems were not completed because the DOGE team staff did not pick up the laptops needed for the Board to provide them with such access. GAO found no evidence that DOGE team staff accessed any of these systems between April 16, 2025, and July 25, 2025. To determine this, GAO reviewed the sign-in activity of the logs for the DOGE team members’ accounts used to access NLRB network resources and did not identify any sign-ins during the specified timeframes. Why GAO Did This Study USDS was created by executive order to implement the President’s goals to maximize government efficiency by modernizing technology. The executive order also calls for the heads of executive branch agencies to establish DOGE teams that work with USDS. On April 14, 2025, an NLRB IT staff member disclosed to Congress allegations that one or more DOGE team members arrived in March 2025 and unlawfully accessed the Board’s case management systems and allowed potential foreign actors to exfiltrate or steal data. The following day, a news outlet publicly reported on these allegations. According to NLRB, the Board’s Inspector General is investigating these allegations. GAO was asked to review the systems and information NLRB’s DOGE team accessed at the Board. This report describes the NLRB systems that the DOGE team had been provided access to and how, if at all, the team used those systems. To address the objective, GAO focused on DOGE team access to NLRB systems between April 16, 2025, and July 25, 2025 (start and end dates for the agreements to detail DOGE team staff to NLRB). GAO did not review DOGE team access prior to April 16, 2025, to not overlap with the NLRB Inspector General’s investigation. GAO reviewed system access request forms and NLRB approval communications to determine the level of access that the DOGE team was authorized to receive for each system. GAO also interviewed NLRB staff regarding what level of access they provided for each system to the team. GAO reviewed NLRB sign-in activity of the logs for the accounts used to access agency network resources. The NLRB did not have any comments on the report. For more information, contact Marisol Cruz Cain at CruzCainM@gao.gov.

What GAO Found The U.S. government disburses payments for various reasons (e.g., income tax refunds, benefit payments, and vendor and salary payments). The majority of federal entities process their payments through the Bureau of the Fiscal Service’s (BFS) payment systems. Accordingly, the integrity and security of these systems are critical to the nation’s economy. The preliminary results of GAO’s ongoing work show that one Treasury Department of Government Efficiency (DOGE) team employee had access to three BFS payment systems between January 2025 and February 2025. The employee had access to view, copy, and print data for the three payment systems. In addition, the employee was inadvertently granted temporary access to create, modify, and delete data for one of the three systems, but GAO found no evidence of any changes to system data. The bureau did not fully address three of four selected control areas for ensuring that DOGE team employees with access to BFS systems follow its IT security rules. (See table.) Specifically, BFS implemented five of the 14 selected controls within those four areas. Extent to Which Bureau of the Fiscal Service (BFS) Implemented the Four Selected Cybersecurity Control Areas Control area Area rating Control System Access (5 controls) Partially implemented Control System Integrity (2 controls) Fully implemented Control Information Confidentiality (4 controls) Substantially implemented Monitor System Usage (3 controls) Substantially implemented Source: GAO analysis of BFS documentation. | GAO-26-108131 Key: Fully implemented: BFS provided evidence that satisfied all of the related controls; Substantially implemented: BFS provided evidence that satisfied at least two-thirds, but not all, of the related controls; Partially implemented: BFS provided evidence that satisfied at least one-third, but less than two-thirds, of the related controls. Examples of BFS not fully implementing specific controls include: BFS did not ensure that an employee agreed to follow the bureau’s IT security rules before receiving a BFS laptop. As a result, the bureau was not well positioned to hold the employee accountable for not following those rules. BFS did not configure its security tools to identify and block unencrypted payment information resulting in an employee improperly transmitting payment information outside of the bureau. In addition, the Treasury DOGE team did not always follow BFS’s IT security rules. Specifically, an employee did not encrypt payment information sent to another agency DOGE team or obtain approval to share this information prior to sending it. This employee did not always follow the IT security rules because, as previously discussed, BFS did not implement all controls needed to ensure compliance with those rules. Until BFS fully implements controls for overseeing users with broad access to payment systems, this important information will be at greater risk of improper access, modification, disclosure, and misuse. Why GAO Did This Study The United States DOGE Service (USDS) was created by executive order to implement the President’s goals to maximize government efficiency by modernizing technology. The order also calls for the heads of executive branch agencies to establish DOGE teams that work with USDS. GAO was asked to review the efforts of Treasury DOGE staff to protect BFS systems. Its objectives were to (1) describe the DOGE team access to BFS payment systems, (2) evaluate the extent to which BFS implemented controls to ensure that the DOGE team followed the bureau’s IT security rules, and (3) assess the extent that the DOGE team followed those rules. In addressing its first objective, GAO summarized the preliminary results of its ongoing work describing access to payment systems. For the latter two objectives, GAO completed its audit work and is making recommendations. Specifically, GAO analyzed federal IT security guidance and identified 14 applicable controls in four areas related to managing system access and protecting sensitive information. GAO also analyzed BFS’s IT security rules and evaluated documentation related to DOGE access to payment systems.

Why This Matters Space-based data centers would place data processing and storage systems for AI and other computing needs into satellites. This could reduce the land, electricity, and water needed for data centers on Earth. Several companies have begun development of data centers in space, but there are engineering and economic barriers to deployment. Key Takeaways Placing data centers in space could reduce the demand for resources from these facilities on Earth. Data centers generate excess heat, but space does not cool computing hardware efficiently. This could be a major engineering challenge. A significant increase in the number of satellites in orbit could be difficult to manage and cause collisions. The Technology What is it? Data centers house computer servers, data storage systems, and network equipment that provide digital applications and services—such as artificial intelligence (AI) and cloud computing. Space-based data centers would house similar equipment in satellites to process data in space instead of on Earth (see figure). How does it work? Most proposals for space-based data centers use satellites deployed to low Earth orbits. These orbits allow faster communication with Earth and cost less to reach than higher ones. Some low Earth orbits (e.g., sun-synchronous) could also provide satellites with near-continuous solar energy. Some proposals envision constellations of thousands of new satellites working together to process data. Figure 1. Terrestrial and Hypothetical In-Space Data Centers These might supplement or replace the use of terrestrial data centers for energy-intensive tasks such as cloud computing services or training AI models. How mature is it? Like existing satellites, space-based data centers need support systems that provide power, cooling, and communication. These basic components rely on mature technologies, but their deployment and operation to support data centers is unproven. Smaller data centers intended to process data generated in space may be closer to maturity than larger data centers built to train AI models in space. Large data centers have power and cooling needs that will require further engineering development, such as solar arrays that are larger than any launched and assembled in space as of April 2026. Cooling solutions at this scale are also unproven. Large data centers produce waste heat that must be dissipated into space to prevent damage to computing systems. Such cooling is challenging because heat is not easily dispersed in the near-empty vacuum of space. Space-based data centers may need more advanced data transfer systems. These systems could transmit larger amounts of data to Earth or between networked satellites for data-intensive tasks like training AI. Public and private projects are testing high-performance computing hardware and communications technologies in space, with deployment of some data center satellites planned by the mid-2030s. Since January 2026, the Federal Communications Commission has received three applications from U.S. companies for large satellite constellations operating as data centers. Other projects are underway in China, the European Union, and Japan. Opportunities Reduce AI resource demands. The Department of Energy projects data centers will account for up to 12 percent of U.S. electrical demand by 2028, driven by AI development. Data centers in space might reduce demand for electricity, water, and physical infrastructure on Earth. Process data collected in space faster. Orbiting telescopes and observation satellites create large volumes of data that are currently sent to Earth for processing. Not all raw data are ultimately useful, and processing in space could reduce data transmission volume to Earth, and associated costs, and increase decision-making speed. Challenges Economic viability. Manufacturing and launching satellites is expensive. Reducing the cost of space-based data centers may depend on developing solutions to electricity, cooling, and communications needs that do not add excessive size or launch weight. Crowded orbits. More satellites in orbit could increase collision risks, including with crewed missions, and interfere with astronomical research. Federal agencies must coordinate demand nationally and internationally for radio frequencies for data communication. Computing in space. Space radiation can corrupt data unpredictably and degrade hardware. Mitigation may be costly or could reduce computing performance. A data center might benefit from in-space servicing by other satellites, but this capability is underdeveloped. As a result, data centers might be decommissioned more frequently than other satellites, potentially increasing space debris or risks from atmospheric reentry. Policy Context And Questions To what extent does the U.S. have adequate launch and other facilities to support a potential increase in satellites? What information is needed to help policymakers balance growing commercial use of space with the long-term management of space as a resource? How might existing laws, treaties, and other international agreements covering space or using data apply to data centers in space? What research is needed to predict the safety, costs, and life cycles of novel data centers, including in space? Selected GAO Work In-Space Servicing, Assembly, and Manufacturing: Benefits, Challenges, and Policy Options, GAO-25-107555. Large Constellations of Satellites: Mitigating Environmental and Other Effects, GAO-22-105166. Selected Reference Ablimit Aili, Jihwan Choi, Yew Soon Ong, and Yonggang Wen. "The development of carbon-neutral data centres in space." Nature Electronics, vol. 8, no. 11 (2025): 1016–1026. https://doi.org/10.1038/s41928-025-01476-1. For more information, contact Karen L. Howard, PhD at HowardK@gao.gov.

What GAO Found For fiscal year 2025, 15 agencies’ estimated improper payments totaled about $186 billion across 64 programs. This represented about $24 billion more in improper payment estimates in fiscal year 2025 than in the prior fiscal year. Agencies reported that about $153 billion (approximately 82 percent) of this total was the result of overpayments. However, these estimates do not represent the full extent of government-wide improper payments. For instance, the $186 billion does not include certain programs that agencies have determined are susceptible to significant improper payments, such as the Department of Health and Human Services’ Temporary Assistance for Needy Families. Of the programs reporting improper payment estimates for fiscal year 2025, 19 reported improper payment rate estimates of at least 10 percent, including six programs whose rates exceeded 25 percent. Programs Reporting the Largest Percentage of Government-Wide Improper Payments Estimates for Fiscal Year 2025 Note: For more details, see fig. 2 in GAO-26-108694. Percentages in the figure do not sum to 100 percent due to rounding. The Payment Integrity Information Act of 2019 (PIIA) requires the inspector general (IG) at each executive branch agency to annually report on the agency’s compliance with applicable PIIA criteria. According to these IGs, half of the 24 agencies reporting the majority (99 percent) of the federal government’s improper payment estimates in fiscal year 2024 fully complied with PIIA criteria and related Office of Management and Budget requirements. The IGs found that the other 12 agencies did not comply with at least one criterion in fiscal year 2024. IGs made recommendations to address noncompliance related to inadequate risk assessments for five agencies and unreliable estimates for seven agencies. Why GAO Did This Study Improper payments—those that should not have been made or were made in incorrect amounts—have consistently been a government-wide issue. Since fiscal year 2003, cumulative improper payment estimates by executive branch agencies have totaled about $3 trillion, though the actual amount may be much higher. Reducing improper payments is critical to safeguarding federal funds. GAO performed this audit in connection with the statutory requirement for GAO to audit the U.S. government’s consolidated financial statements. This report provides an overview of federal agencies’ improper payment estimates for fiscal year 2025. Additionally, it discusses agencies’ compliance with requirements for reporting and managing improper payments in fiscal year 2024 as well as the recommendations that IGs made to the agencies to improve compliance.

What GAO Found In fiscal year 2025, the Defense Counterintelligence and Security Agency (DCSA) conducted over 4,600 security reviews. The agency also documented over 800 security violations (see figure) and over 1,000 open security vulnerabilities associated with cleared contractor facilities. To conduct its industrial security mission, DCSA relied on over 470 industrial security mission personnel and spent over $160 million in fiscal year 2025. Defense Counterintelligence and Security Agency (DCSA) Documented 815 Security Violations by Category Type, Fiscal Year 2025 Note: Security violations are incidents where a contractor fails to comply with the National Industrial Security Program Operating Manual’s policies and procedures that could reasonably result in the loss or compromise of classified information. For example, data spills are when classified information appears, or “spills,” onto an unclassified system. Security vulnerabilities are identified weaknesses in a contractor’s industrial security program that could be exploited to gain unauthorized access to classified information or information systems accredited to process classified information. DCSA has taken steps to manage risk with the industrial security mission. These include efforts to identify, assess, and respond to risk. However, DCSA has not addressed gaps to fully assess and respond to risks to its operational activities in line with DOD guidance on risk management. For example, DCSA has not identified and developed analytic capabilities to better support field operators’ assessments of risk at the regional level. With such capabilities, the agency could identify the most significant regional trends affecting its overall performance objectives. Further, DCSA began an initiative in 2019—the National Access Elsewhere Security Oversight Center (NAESOC)—aimed at mitigating risk partly through the reduction of workload on regional officials. However, participants in all 12 of the focus groups GAO conducted reported on the center’s insufficient staffing, limited risk mitigation, and industry dissatisfaction. According to DCSA officials, the agency has not comprehensively assessed the NAESOC risk response effort, including identifying its resourcing needs and outcome-oriented performance goals. Doing so would be in line with DOD risk guidance to conduct regular assessments on risk responses. Finally, DCSA identified challenges with its current industrial security data system of record and has begun developing a replacement. However, DCSA has not continuously engaged its end-users—DCSA regional and military department officials—throughout the development process, to include requirements development and other stages prior to testing. Without doing this, DCSA risks developing a replacement system with ongoing challenges. Why GAO Did This Study Foreign entities continue to attempt to illicitly obtain classified information and technology from industry thousands of times a year. DCSA, a Department of Defense (DOD) component, administers the DOD portion of the National Industrial Security Program (NISP), with the purpose of protecting classified information released to federal contractors, among others. DCSA has responsibility for ensuring that contractors properly access and store classified content for an estimated 90 to 95 percent of U.S. classified contracts across the federal government. House Report 118-125 includes a provision for GAO to review DOD’s administration of the NISP. This report addresses (1) the funding, personnel, and training DCSA dedicates to perform its industrial security mission, and the extent to which DCSA (2) has managed risks within the NISP’s core operational activities and (3) is addressing challenges with the National Industrial Security System. GAO reviewed documents and interviewed officials from DCSA, the military service components, and the National Archives and Records Administration. GAO also conducted a series of focus groups with 80 selected DCSA regional personnel who conduct industrial security operations.