[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

Perform a comprehensive, enterprise-wide assessment, with input from each division, to identify the operational technology threats to the FBl's investigative and business practices develop options for an FBI-wide approach to mitigate each of the threats identified; identify and report these options and the results of the assessment to the Deputy Director to use in developing and assigning responsibility for the FBl's enterprise-wide strategy for managing this risk.

Fully implement an enterprise-wide training plan for mitigating the threat posed to FBI investigations, personnel and sources by changing operational technologies. This training plan should include a baseline training for all employees, including non-agent personnel, It should also include appropriate refresher training on a regular basis.

(U) Transfer to the Stagehand program the field division FSL already used by Stagehand or determine an alternative approach that gives Stagehand appropriate control over its staffing to ensure the operational effectiveness, continuity, and security of the Stagehand program.

(U) Work with NSD and other Department stakeholders to develop an integrated system for tracking requests for AGEs and Otherwise Illegal Activity from initiation through final approval that can meet the FBl's and the Department's operational needs, provide visibility about the status of a given request. and identify specific and systemic delays in the AGE and Otherwise Illegal Activity approval process.

(U) Establish reasonable and attainable qualifications for UCCs to better ensure UCCs have appropriate undercover experience, grade level. and adequate time to effectively conduct their undercover-related
duties. Once the UCC qualifications are established, the FBI should update its policies and procedures to reflect the new requirements.

Reassess its policies to incorporate enhanced communication among personnel involved in inmate transfer decisions.

Ensure that its written procedures and practices regarding medical transfer codes and paperwork are consistent.

Consider modifying its policies to require BOP personnel to review an inmate's medical records before making decisions that impact the inmate's medical care.

Closely examine the Medical Care Level Guidelines and Medical Classification Algorithm for needed clarity and improvement.

Modify the Medical Care Level Guidelines to address how an inmate's noncompliance with medical treatment should impact the inmate's medical care level classification, regardless of the patient's reason for noncompliance.

Consider limiting the number of BOP personnel who receive notification of an inmate's impending transfer, especially for Broad Publicity and other high-risk inmates. For example, the BOP should consider discontinuing distribution of transfer information to group email inboxes accessible by numerous personnel, many of whom would not have reason to be notified of the transfer.

Reassess and clarify the BOP's policies regarding maintaining the confidentiality of information regarding designations, redesignations, and transfers of inmates, and provide training to BOP employees on these policies.

Reassess its policies regarding assessing and ensuring the security of inmates at the time of designation, redesignation, and transfer and consider (a) adding specific criteria for BOP officials within DSCC, OMDT, and Central Office to consider before approving the designation and redesignation of Broad Publicity and other CIM inmates; (b) whether changes should be made to the criteria for considering an inmate to be a member, leader, associate, former member, or drop-out of Organized Crime; (c) requiring that additional categories of inmates, such as inmates of a certain level of public notoriety, be referred to Senior Intelligence Designators or the Central Office Intelligence Office, prior to transfer; and (d) adding steps for receiving institutions to take to plan for the arrival of inmates of a certain level of public notoriety.

Create specific procedures for assigning inmates to units within facilities, which may include security considerations, SIS approval, and approval from the warden or other high-level officials.

Implement a policy identifying criteria for the inclusion of a service within the Working Capital Fund (WCF); once the criteria are formalized, JMD should evaluate and ensure that the services currently included in the WCF are appropriate, meet the documented criteria, and are clearly presented to the WCF Board for discussion of any necessary changes.

Review the Office of the Chief Information Officer's (OCIO) cost allocation methodology and update as necessary to ensure that component cost allocations are sensible, equitable, and commensurate with benefits of the services provided.

Update its policy to include specific criteria for identifying "basic activities" appropriate to be included in a Rate Memo and reevaluate OCIO's Rate Memos to ensure that the selected services reflect a consistent approach and "basic activities."

Create and implement guidance for a QASP or QASP equivalent to use as the basis to monitor performance under medical services contracts that contains: (1) measurable performance standards to ensure desirable contract requirement outcomes including those related to quality and timeliness of care; and (2) standards for maintaining documentation related to the ratings in the QASP.

Create and implement strategies to leverage inmate healthcare utilization data that the OIG recommended to collect in 2016, which would enable the BOP to determine the cost effectiveness of alternative medical services contract structures.

Create and implement a uniform or universal billing review and approval process to: (1) ensure medical claims are properly supported and (2) improve timeliness of processing medical invoices.

Create and implement a timeline for utilizing the medical claims adjudication vendor contract awarded in December 2019 to process and ensure healthcare claims are accurate and complete

Enhance its policies, procedures, training and communication, and/or internal controls for the requisition and government purchase card systems to better ensure that purchasing officials understand the C-SCRM requirements and so that applicable requisitions and purchase requests undergo C-SCRM procedures, as required; and develop policies, procedures, and/or internal controls to periodically monitor FBI compliance by identifying and remedying purchases that improperly bypassed the process.

Ensure mitigation actions for ICT products, especially mission-critical ICT products or services, are descriptive, actionable, and tailored to the user environment and operational contexts (including its anonymity of procurement statement); and work with OCIO and the SCRM Unit to create and resource a continuous monitoring program that monitors C-SCRM risks across the FBI, ensures that users understand and follow C-SCRM mitigations identified in the product vulnerability and procurement risk assessments, and develops procedures to periodically monitor and assess user compliance with its C-SCRM mitigation actions.

The FBI should clarify its policies regarding the approved methods for transmitting child sexual abuse material (CSAM) and other contraband to prosecutors and other government employees with a need to view the material in their official capacity.

Update the AHTF Program application guide with the revised performance measures and implement processes to assess the outcome of its AHTF Program performance measures.