Information Security: Software Change Controls at the National
Aeronautics and Space Administration (Correspondence, 06/30/2000,
GAO/AIMD-00-196R).

Pursuant to a congressional request, GAO reviewed the National
Aeronautics and Space Administration's (NASA) software change controls,
focusing on: (1) whether key controls as described in agency policies
and procedures regarding software change authorization, testing, and
approval complied with federal guidance; and (2) the extent to which
agencies contracted for year 2000 remediation of mission-critical
systems and involved foreign nationals in these efforts.

GAO noted that: (1) NASA does not have a formally documented
agency-level software change control policy; (2) development and
implementation of software change policies and procedures are the
responsibility of each component; (3) according to the NASA official,
the components used their routine software change control processes for
year 2000 remediation; (4) however, GAO was not provided copies of these
component policies to make comparisons to federal guidance; (5) instead,
the agency official provided GAO with a written explanation of software
change practices at NASA components; (6) based on GAO's interview, the
agency official was not familiar with contractor practices for software
management; (7) this is of potential concern because contractors
performed remediation of all 156 mission-critical systems; (8) for
example, one contract was with a foreign-owned company that also hired
foreign nationals; (9) in addition, source code for two systems was
transmitted to contractor facilities, one of which was a foreign-owned
facility that received source code for administrative systems; and (10)
the NASA official provided no details regarding protective controls over
the source code when the code was out of the agency's direct control.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-196R
     TITLE:  Information Security: Software Change Controls at the
	     National Aeronautics and Space Administration
      DATE:  06/30/2000
   SUBJECT:  Computer software
	     Contractor personnel
	     Internal controls
	     Employment of foreign nationals
	     Computer software verification and validation
	     Contract oversight
	     Computer software contracts
	     Information resources management
IDENTIFIER:  Y2K
	     Software Capability Maturity Model

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD-00-196R

B-285552

June 30, 2000

Mr. Lee Holcomb

Chief Information Officer

National Aeronautics and Space Administration

Subject: Information Security: Software Change Controls at the National
Aeronautics and Space Administration

Dear Mr. Holcomb:

This letter summarizes the results of our recent review of software change
controls at the National Aeronautics and Space Administration (NASA).
Controls over access to and modification of software are essential in
providing reasonable assurance that system-based security controls are not
compromised. Without proper software change controls, there are risks that
security features could be inadvertently or deliberately omitted or rendered
inoperable, processing irregularities could occur, or malicious code could
be introduced. If related personnel policies for background checks and
system access controls are not adequate, there is a risk that untrustworthy
and untrained individuals may have unrestricted access to software code,
terminated employees may have the opportunity to compromise systems, and
unauthorized actions may not be detected.

NASA was 1 of 16 agencies included in a broader review of federal software
change controls that we conducted in response to a request by Representative
Stephen Horn, Chairman, Subcommittee on Government Management, Information
and Technology, House Committee on Government Reform. The objectives of this
broader review were to determine (1) whether key controls as described in
agency policies and procedures regarding software change authorization,
testing, and approval complied with federal guidance and (2) the extent to
which agencies contracted for Year 2000 remediation of mission-critical
systems and involved foreign nationals in these efforts. The aggregate
results of our work were reported in Information Security: Controls Over
Software Changes at Federal Agencies (GAO/AIMD-00-151R, May 4, 2000), which
we are sending with this letter.

For the NASA segment of our review, we interviewed an official in NASA's
Chief Information Office. Based on a list of data items we provided in
writing to NASA, this official provided information about software change
control policies and procedures at NASA headquarters and its 10 components.
These 10 components, which are listed in enclosure I, remediated 156
mission-critical systems. We did not review the components' written change
control policies and procedures, observe the components' practices, or test
compliance with their policies and procedures. We performed our work from
January through March 2000 in accordance with generally accepted government
auditing standards.

According to the information provided to us, all NASA components performed
background screenings of federal, contractor, and foreign national personnel
involved in making changes to software. However, we identified concerns
regarding NASA's formal policies and procedures and contract oversight.

   * NASA does not have a formally documented agency-level software change
     control policy. Development and implementation of software change
     policies and procedures are the responsibility of each component.
     According to the NASA official, the components used their routine
     software change control processes for Year 2000 remediation. However,
     we were not provided copies of these component policies to make
     comparisons to federal guidance. Instead, the agency official provided
     us with a written explanation of software change practices at NASA
     components.[Author ID1: at Tue May 23 10:23:00 2000 ]

   * Based on our interview, the agency official was not familiar with
     contractor practices for software management. This is of potential
     concern because contractors performed remediation of all 156
     mission-critical systems. For example, one contract was with a
     foreign-owned company that also hired foreign nationals. In addition,
     source code for two systems was transmitted to contractor facilities,
     one of which was a foreign-owned facility that received source code for
     administrative systems. The NASA official provided no details regarding
     protective controls over the source code when the code was out of the
     agency's direct control.

We were told by the NASA official that the Mission Operations function of
the Goddard Space Flight Center component is certified as a Carnegie Mellon
University Software Engineering Institute's Capability Maturity Model for
Software (SW-CMM) level 3 organization. In comments on a draft of this
letter, you stated that as part of broader efforts to improve software
change controls, NASA plans to bring the major internal software activities
of NASA's 10 components to SW-CMM level 3. We encourage you to proceed on
this course.

Because we also identified software control weaknesses at other agencies
covered by our review, we have recommended that OMB clarify its guidance to
agencies regarding software change controls as part of broader revisions
that OMB is currently developing to Circular A-130, Management of Federal
Information Resources.

We requested comments on a draft of this letter from your office. You
provided us with written comments which are included in enclosure II. We
have incorporated your comments into this letter where appropriate.

We appreciate NASA's participation in this study and the cooperation we
received from officials at your office and at the NASA components covered by
our review. If you have any questions, please contact me at (202) 512-6240
or by e-mail at [email protected], or you may contact Jean Boltz,
Assistant Director, at (202) 512-5247 or by e-mail at [email protected].

Sincerely yours,

David L. McClure

Associate Director, Governmentwide

and Defense Information Systems

Enclosures

National Aeronautics and Space Administration Components Included in Study

  1. Ames Research Center

  2. Dryden Flight Research Center

  3. Goddard Space Flight Center

  4. Jet Propulsion Lab

  5. Johnson Space Center

  6. Kennedy Space Center

  7. Lewis Research Center

  8. Langley Research Center

  9. Marshall Space Flight Center

 10. Stennis Space Center

(511987)
  
*** End of document. ***