Program Integrity Alliance
All Insights

The 30-Day Test

GovIntegrityApril 13, 2026
The 30-Day Test

I want to believe. I really do.

The Trump administration’s new Task Force to Eliminate Fraud — chaired by Vice President Vance, drawn from every major Cabinet agency, and armed with an accelerated 30-60-90-day implementation timeline — is the most serious government-wide anti-fraud commitment I’ve seen in nearly 20 years of working on this issue. The mandate to shift the federal posture from “pay and chase” to preventive controls is exactly right.

On paper, this is the effort I’ve been arguing for.

But nearly two decades of working with agencies tells me the 30-day vulnerability assessment at the center of this effort is heading straight for the most entrenched obstacle in federal fraud prevention: the career risk of telling the truth about how exposed your programs actually are. And a new enforcement dynamic the administration itself has created is about to make that obstacle significantly worse.

Good Idea. Wrong Timeline. Wrong Incentives.

Section 3 of the executive order requires each agency to submit, within 30 days, descriptions of transactions and processes within its programs “most susceptible to fraud.” These are things like new enrollments, eligibility redeterminations, provider enrollments, self-attestation procedures, changes to payment destinations, and third-party intermediaries.

This is a good list. These are exactly the right categories. I recognize them because they are drawn from the GAO Fraud Risk Management Framework, which I led the development of a decade ago and which is now codified in statute under the Payment Integrity Information Act. The problem is that identifying the categories of vulnerability is just the start.

A meaningful fraud risk assessment — the kind PIIA actually requires — means understanding how a program works in practice, not just on paper. It means cataloguing the specific fraud schemes that have occurred or could plausibly occur in each category, assessing the likelihood and potential impact of each, and prioritizing where preventive controls will produce the greatest return. That process, done with any rigor, takes months.

As of 2023, agencies still hadn’t addressed 95 of GAO’s prior fraud risk management recommendations. A third of federal agencies surveyed didn’t have regular monitoring or evaluation activities. Half didn’t regularly make changes based on evaluation results. Here’s the truth: organizational culture, data infrastructure, and leadership accountability have made sustained, honest fraud risk management the exception rather than the rule.

In 30 days, agencies across government will not suddenly know how to do what they haven’t been doing for years. The deeper problem isn’t capacity. It’s incentive.

Why Washington Has Always Looked the Other Way

Fraud is deceptive by design. When agency leaders finally look for it, they will find more of it — at least at first. In Washington, that is treated as failure, not progress. Budgets get questioned, oversight hearings get scheduled, headlines follow. The rational response for a career official is to stop looking.

Consider this thought experiment: you are the head of a major benefit agency and you decide to use data analytics to look for fraud. You find it — and it is far worse than anyone imagined. Now your agency has more reported fraud than any other. Other agencies, those that didn’t decide to go looking for fraud, are not reporting the fraud numbers that you’re now reporting. Hearings get scheduled. Lawmakers demand answers. Your budget is threatened. You are punished for looking, while the agencies that didn’t look are rewarded.

This is the perverse logic that has driven agencies toward “pay and chase” for decades — recovering dollars after the fact, where the win is visible, rather than preventing losses before they happen, where the benefit is invisible.

Prevented fraud cannot easily be counted, budgeted for, or celebrated in a press release. Recovered fraud can. So agencies optimize for the metric that rewards them, not the one that protects taxpayers.

I have spent 20 years watching agency leaders respond to questions about fraud with long lists of policies, procedures, risk assessments, and technology they have procured — documentation carefully assembled to demonstrate that the process was followed, whether or not the fraud kept happening. The 30-day vulnerability assessment will produce more of the same.

A New Culture of Fear

But there’s a bigger problem in the new task force’s work: it includes a Sword of Damocles that menacingly looms over the whole endeavor.

This year, the administration has withheld $259 million in federal Medicaid matching funds from Minnesota, citing concerns about fraudulent and unsupported claims. It has sent formal letters to California, New York, Maine, and Florida requesting information about their anti-fraud policies and procedures, with the implicit threat of similar action. A federal court has allowed the Minnesota deferral to proceed.

The stated rationale is accountability: states that have fraud should face consequences. That logic makes sense in principle. But consider what it means for the 30-day vulnerability assessment. If an agency — or a state — conducts a genuinely honest assessment and surfaces real fraud vulnerabilities, it has now produced documentary evidence of exactly the kind of problem that triggers federal fund withholding. The rational response is to submit an assessment that is complete enough to satisfy the task force but not so candid that it becomes an enforcement target.

The cultural taboo around admitting fraud has always made honest self-assessment difficult. The threat of losing federal funding transforms that taboo into a financial imperative.

There is a further complication the administration should reckon with before it ties enforcement to self-reporting. This month, CMS acknowledged it had made a significant error in the fraud accusations it leveled at New York’s Medicaid program — claiming that five million New Yorkers received personal care services when the actual figure was approximately 450,000. CMS had misread New York’s billing codes, overcounting by a factor of ten, and used that inflated number as the basis for a formal fraud investigation and the threat of funding consequences. The error was caught only after New York pushed back.

The point isn’t about New York being innocent or guilty of anything. The point is that the federal government’s own fraud measurement methodology produced a tenfold error — and the financial penalties were already in motion before anyone checked the math.

If the task force wants states and agencies to submit honest vulnerability assessments, the credibility of the federal measurement tools that will scrutinize those assessments has to be established first. Accuse now, verify later is not a framework that produces candid self-disclosure from the people being accused

Use the Momentum. Make It Substantive.

None of this means the task force is a mistake. The political will behind it is real and rare, and the doctrine is correct. But good intentions and executive orders do not change the structural incentives that have kept agencies from doing honest fraud risk management for decades. The task force will only convert this moment into durable impact if it grapples directly with those incentives.

Here is what that looks like in practice.

First, treat the 30-day submissions as a starting point, not a deliverable. Every agency that says its fraud exposure is modest should be asked to substantiate that claim with data — not a list of controls, but evidence of what those controls are actually catching. The submissions that look clean are the ones most likely to be incomplete.

Second, pair self-reports with independent analysis. The agencies that have had the most meaningful breakthroughs on fraud — including PRAC with its pandemic relief engine — did not rely on agencies to report their own vulnerabilities. They built independent data capacity and showed agencies what they were missing. That moment of recognition, when an agency sees the actual exposure rather than the reported one, is where real action begins. The task force should be creating that moment systematically.

Third— and this is absolutely key—separate accountability for findings from punishment for honesty. The Minnesota and New York enforcement actions send the signal that surfacing fraud leads to financial penalty. If the task force wants genuine vulnerability assessments, it needs a safe harbor for agencies that come forward honestly — a distinction between the state that is hiding fraud and the state that has finally looked and found it. Those are not the same problem, and they should not receive the same response.

Finally, build the 60-day and 90-day requirements around specific, measurable commitments to named preventive controls — not plans to consider controls, not working groups, not interagency coordination memos. The task force has until the end of 2026 to produce findings. Whether those findings change anything will depend entirely on whether the accountability mechanism for the next phase is real.

The administration has the right framework and the political attention to make this matter. What it does not yet have is an implementation theory that accounts for why agencies have not done this work honestly for the past two decades. The task force will tell us a great deal about which of those two things is actually driving the effort.

Article first posted on GovIntegrity.