Information Security: Software Change Controls at the Department of
Energy (Correspondence, 06/30/2000, GAO/AIMD-00-189R).

Pursuant to a congressional request, GAO reviewed software change
controls at the Department of Energy (DOE), focusing on: (1) whether key
controls as described in agency policies and procedures regarding
software change authorization, testing, and approval complied with
federal guidance; and (2) the extent to which agencies contracted for
year 2000 remediation of mission-critical systems and involved foreign
nationals in these efforts.

GAO noted that: (1) 3 of the 20 components--Nevada Operations Office,
Ohio Field Office, and Western Area Power Administration (WAPA)--had no
formally documented process for routine software change control; (2)
departmentwide guidance and formal procedures at 17 of the 20 components
included in GAO's review were inadequate; (3) of these 17 components,
only headquarters offices had formally adopted the department-level
guidance in documented procedures; (4) DOE had established
department-level guidance for software engineering that adopted the
Carnegie Mellon University Software Engineering Institute's Capability
Maturity Model for Software; (5) however, the guidance was not
mandatory, was adopted by only headquarters offices, and did not address
key controls; (6) based on GAO's interviews, DOE officials were not
familiar with contractor practices for software management; (7) this is
of potential concern because 324 of 352 DOE mission-critical systems
covered by GAO's study involved the use of contractors for year 2000
remediation; (8) officials at 9 DOE components were unfamiliar with
daily contractor practices and either directed GAO to interview
contractor staff to obtain this information or relied on contractor
personnel in GAO's interview; (9) based on GAO's interviews and review
of documented security policies and procedures, background screenings of
personnel involved in the software change process were not a routine
security control at all components; (10) for example, officials at Ames
Laboratory, the Office of Civilian Radioactive Waste Management, and
WAPA told GAO that four contracts for remediation services did not
include provisions for background checks or contractor staff; (11)
agency officials at Ames, headquarters, and the National Renewable
Energy Laboratory told GAO that foreign nationals were employed on three
contracts for remediation services; (12) officials at Ames,
headquarters, and WAPA did not require routine background screening of
foreign national personnel involved in making changes to software; and
(13) at Ames and headquarters, complete data on the involvement of
foreign nationals in software change process activities were not readily
available.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-189R
     TITLE:  Information Security: Software Change Controls at the
	     Department of Energy
      DATE:  06/30/2000
   SUBJECT:  Computer software verification and validation
	     Computer security
	     Computer software contracts
	     Internal controls
	     Contractor personnel
	     Information resources management
	     Contract oversight
	     Employment of foreign nationals
IDENTIFIER:  Software Capability Maturity Model
	     Y2K

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD-00-189R

B-285543

June 30, 2000

MACROBUTTON Mr. John M. Gilligan

Chief Information Officer

Department of Energy

Subject: Information Security: Software Change Controls at the Department of
Energy

Dear Mr. Gilligan:

This letter summarizes the results of our recent review of software change
controls at the Department of Energy (DOE). Controls over access to and
modification of software are essential in providing reasonable assurance
that system-based security controls are not compromised. Without proper
software change controls, there are risks that security features could be
inadvertently or deliberately omitted or rendered inoperable, processing
irregularities could occur, or malicious code could be introduced. If
related personnel policies for background checks and system access controls
are not adequate, there is a risk that untrustworthy and untrained
individuals may have unrestricted access to software code, terminated
employees may have the opportunity to compromise systems, and unauthorized
actions may not be detected.

DOE was 1 of 16 agencies included in a broader review of federal software
change controls that we conducted in response to a request by Representative
Stephen Horn, Chairman, Subcommittee on Government Management, Information
and Technology, House Committee on Government Reform. The objectives of this
broader review were to determine (1) whether key controls as described in
agency policies and procedures regarding software change authorization,
testing, and approval complied with federal guidance and (2) the extent to
which agencies contracted for Year 2000 remediation of mission-critical
systems and involved foreign nationals in these efforts. The aggregate
results of our work were reported in Information Security: Controls Over
Software Changes at Federal Agencies (GAO/AIMD-00-151R, May 4, 2000), which
we are sending with this letter.

For the DOE segment of our review, we interviewed officials in DOE's Office
of the Chief Information Officer (OCIO) and Year 2000 project staff at
 headquarters and at 20 of 34 DOE components responsible for remediation of
software for Year 2000. These 20 components, listed in enclosure I,
remediated 352 of DOE's 417 mission-critical systems. We also obtained
pertinent written policies and procedures from these components and compared
them to federal guidance issued by the Office of Management and Budget (OMB)
and the National Institute of Standards and Technology. We did not observe
the components' practices or test their compliance with their policies and
procedures. We performed our work from January through March 2000 in
accordance with generally accepted government auditing standards.

At DOE, we identified concerns in three control areas: formal policies and
procedures, contract oversight, and background screening of personnel.

   * We found that 3 of 20 componentsâNevada Operations Office (NOO), Ohio
     Field Office (OFO), and Western Area Power Administration (WAPA)âhad
     no formally documented process for routine software change control.

   * Departmentwide guidance and formal procedures at 17 of the 20
     components included in our review were inadequate. Of these 17
     components, only headquarters offices had formally adopted the
     department-level guidance in documented procedures. DOE had established
     department-level guidance for software engineering that adopted the
     Carnegie Mellon University Software Engineering Institute's Capability
     Maturity Model for Software. However, the guidance was not mandatory,
     was adopted by only headquarters offices, and did not address key
     controls. Specifically, procedures in

   * four components did not address testing of routine software changes;
   * eight components did not address, and nine did not adequately address,
     controls over application software libraries including access to code,
     movement of software programs, and inventories of software;
   * sixteen components did not address operating system software access;
   * fifteen components did not address operating system monitoring; and
   * thirteen components did not address operating system software changes.

Enclosure II identifies the specific weaknesses we identified in each of the
16 components with documented procedures.

   * Based on our interviews, agency officials were not familiar with
     contractor practices for software management. This is of potential
     concern because 324 (92 percent) of 352 DOE mission-critical systems
     covered by our study involved the use of contractors for Year 2000
     remediation. For example, AlliedSignal/Kansas City (AlliedSignal),
     Grand Junction Project Office, Idaho National Engineering Laboratory
     (INEL), and Oak Ridge Operations Office (OROO) sent code or data
     associated with five mission-critical systems to contractor facilities,
     including one offshore foreign-owned company. However, agency officials
     could not readily determine how the code and data were protected during
     and after transit to the contractor facility, when the code was out of
     the agency's direct control. Also, officials at nine DOE components
     were unfamiliar with daily contractor practices and either directed us
     to interview contractor staff to obtain this information or relied on
     contractor personnel in our interview. These nine components are listed
     below.

   * AlliedSignal
   * Ames Laboratory (Ames)
   * INEL
   * NOO
   * OROO
   * Office of Civilian Radioactive Waste Management (OCRWM)
   * PANTEX
   * Sandia National Laboratories
   * Savannah River Operations Office

   * Based on our interviews and review of documented security policies and
     procedures, background screenings of personnel involved in the software
     change process were not a routine security control at all components.
     For example, officials at Ames, OCRWM, and WAPA told us that four
     contracts for remediation services did not include provisions for
     background checks of contractor staff.

   * Agency officials at Ames, headquarters, and NREL told us that foreign
     nationals were employed on three contracts for remediation services.
     Further, officials at Ames, headquarters, and WAPA did not require
     routine background screening of foreign national personnel involved in
     making changes to software. At Ames and headquarters, complete data on
     the involvement of foreign nationals in software change process
     activities were not readily available.

In light of these weaknesses, we suggest that you review DOE software change
and related contractor oversight and personnel policies and practices and
implement any changes that you deem necessary. Because we also identified
software control weaknesses at other agencies covered by our review, we have
recommended that OMB clarify its guidance to agencies regarding software
change controls as part of broader revisions that OMB is currently
developing to Circular A-130, Management of Federal Information Resources.

We requested comments on a draft of this letter from the OCIO. We received
oral comments from OCIO and from two of DOE's components, BPA and WAPA. OCIO
and WAPA concurred with our findings. BPA provided new information showing
that it had a formally documented process in place. We have made revisions
to this letter to reflect our analysis of this new information. In addition,
the BPA official told us that the Configuration Management Authority
established in April 2000 corrects the software change control weaknesses at
BPA that we identify in enclosure II. The WAPA official commented that
initiatives are underway to improve software change controls including a
dedicated software configuration management staff, a pilot program to assess
and enhance process elements, and development of improved administrationwide
procedures to be drafted by September 30, 2000. In addition, a Change
Control/Configuration Management Group is planned for long-term monitoring
of process effectiveness.

We encourage DOE and its components to continue efforts to improve controls
over software. We appreciate DOE's participation in this study and the
cooperation we received from officials at your office and at the DOE
components covered by our review. If you have any questions, please contact
me at (202) 512-6240 or by e-mail at [email protected], or you may
contact Jean Boltz, Assistant Director, at (202) 512-5247 or by e-mail at
[email protected].

Sincerely yours,

David L. McClure

Associate Director, Governmentwide

and Defense Information Systems

Enclosures

Department of Energy Components Included in Study

  1. Albuquerque Operations Office
  2. AlliedSignal (Kansas City)
  3. Ames Laboratory
  4. Bonneville Power Administration
  5. Brookhaven National Laboratory
  6. Grand Junction Project Office
  7. Headquarters, Department of Energy
  8. Idaho National Engineering Laboratory
  9. National Renewable Energy Laboratory
 10. Nevada Operations Office
 11. Oak Ridge Operations Office
 12. Office of Civilian Radioactive Waste Management
 13. Office of Naval Reactors
 14. Office of Scientific and Technical Information
 15. Ohio Field Office
 16. PANTEX
 17. Richland Operations Office
 18. Sandia National Laboratories
 19. Savannah River Operations Office
 20. Western Area Power Administration

Weaknesses in DOE Component Software Change Policies and Procedures

                Change Control Areas
 Component name
                ("X" = Not Addressed, "NI" = Addressed but Needs Improvement)
                                                               Monitoring and
                Changes to           Application Access to     use of         Operating
                application  Testing software    operating     operating      system
                software             libraries   system        system         software
                                                 software      software       changes
                                                               utilities
 Albuquerque
 Operations                          NI          X             X              X
 Office
 AlliedSignal
 (Kansas City)               X       NI          X                            X
 Ames Laboratory             X       NI          X             X              X
 Bonneville
 Power                               NI          X             X              NI
 Administration
 Brookhaven
 National                            X           X             X
 Laboratory
 Grand Junction
 Project Office                      NI          X             X              X
 Headquarters
 Department of                       X           X             X              X
 Energy
 Idaho National
 Engineering                         X           X             X              X
 Laboratory
 National
 Renewable
 Energy                      X       X           X             X
 Laboratory
 Oak Ridge
 Operations                  NI      X           X             X              X
 Office
 Office of
 Civilian
 Radioactive                         X           X             X              X
 Waste
 Management

 Office of Naval                                 Incomplete    Incomplete     Incomplete
 Reactors                            NI          documentation documentation  documentation
                                                 provided      provided       provided
 Office of
 Scientific and
 Technical                           NI          X             X              X
 Information
 PANTEX                              NI          X             X              X
 Richland
 Operations     X            NI      X           X             X              X
 Office
 Sandia National
 Laboratories                X       X           X             X              X
 Savannah River
 Operations                          NI          X             X              X
 Office

(511980)
  
*** End of document. ***