Information Security: Software Change Controls at the Office of Personnel
Management (Correspondence, 06/30/2000, GAO/AIMD-00-197R).

Pursuant to a congressional request, GAO reviewed the Office of
Personnel Management's (OPM) software change controls, focusing on: (1)
whether key controls as described in agency policies and procedures
regarding software change authorization, testing, and approval complied
with federal guidance; and (2) the extent to which agencies contracted
for year 2000 remediation of mission-critical systems and involved
foreign nationals in these efforts.

GAO noted that: (1) office-level guidance for routine software change
control did not exist, and formally documented component procedures for
year 2000 software changes were inadequate; (2) procedures developed by
both OPM components for year 2000 remediation of software did not
adequately address key controls for operating system software access and
monitoring; (3) based on GAO's interviews, agency officials were not
familiar with contractor practices for software management; (4) this is
of potential concern because 65 (61 percent) of OPM's 107
mission-critical federal systems involved the use of contractors for
year 2000 remediation; (5) also of concern is that Retirement and
Insurance Service Systems (RISS) sent code associated with 7
mission-critical systems to a contractor facility for remediation, and
agency officials could not readily determine how the code was protected
after transit to the contractor facility, when the code was out of the
agency's direct control; (6) OPM officials did not have complete data on
the involvement of foreign nationals in software change process
activities; and (7) however, officials told GAO that one of two
contracts issued by RISS for remediation of 57 mission-critical systems
involved foreign nationals.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-197R
     TITLE:  Information Security: Software Change Controls at the
	     Office of Personnel Management
      DATE:  06/30/2000
   SUBJECT:  Computer security
	     Internal controls
	     Computer software contracts
	     Information resources management
	     Employment of foreign nationals
	     Contract oversight
	     Computer software verification and validation
IDENTIFIER:  OPM Retirement and Insurance Service Systems
	     Y2K
	     Software Capability Maturity Model

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD-00-197R

B-285553

June 30, 2000

MACROBUTTON Ms. Janet Barnes

Chief Information Officer

Office of Personnel Management

Subject: Information Security: Software Change Controls at the Office of
Personnel Management

Dear Ms. Barnes:

This letter summarizes the results of our recent review of software change
controls at the Office of Personnel Management (OPM). Controls over access
to and modification of software are essential in providing reasonable
assurance that system-based security controls are not compromised. Without
proper software change controls, there are risks that security features
could be inadvertently or deliberately omitted or rendered inoperable,
processing irregularities could occur, or malicious code could be
introduced. If related personnel policies for background checks and system
access controls are not adequate, there is a risk that untrustworthy and
untrained individuals may have unrestricted access to software code,
terminated employees may have the opportunity to compromise systems, and
unauthorized actions may not be detected.

OPM was 1 of 16 agencies included in a broader review of federal software
change controls that we conducted in response to a request by Representative
Stephen Horn, Chairman, Subcommittee on Government Management, Information
and Technology, House Committee on Government Reform. The objectives of this
broader review were to determine (1) whether key controls as described in
agency policies and procedures regarding software change authorization,
testing, and approval complied with federal guidance and (2) the extent to
which agencies contracted for Year 2000 remediation of mission-critical
systems and involved foreign nationals in these efforts. The aggregate
results of our work were reported in Information Security: Controls Over
Software Changes at Federal Agencies (GAO/AIMD-00-151R, May 4, 2000), which
we are sending with this letter.

For the OPM segment of our review, we interviewed Year 2000 project staff at
the two OPM componentsâRetirement and Insurance Service Systems (RISS) and
the Non Retirement and Insurance Service Systemsâresponsible for
remediation of software for OPM's 107 mission-critical systems. We also
obtained pertinent written policies and procedures from these components and
compared them to federal guidance issued by the Office of Management and
Budget (OMB) and the National Institute of Standards and Technology. We did
not observe the components' practices or test their compliance with their
policies and procedures. We performed our work from January through March
2000 in accordance with generally accepted government auditing standards.

According to OPM officials, background checks of personnel involved in the
software change process were a routine security control for contractor
personnel involved in making changes to software. Also, officials told us
that all four contracts for remediation services included provisions for
background checks of contractor staff. However, we identified weaknesses
regarding formal policies and procedures and contract oversight.

   * Office-level guidance for routine software change control did not
     exist, and formally documented component procedures for Year 2000
     software changes were inadequate. Procedures developed by both OPM
     components for Year 2000 remediation of software did not adequately
     address key controls for operating system software access and
     monitoring.

   * Based on our interviews, agency officials were not familiar with
     contractor practices for software management. This is of potential
     concern because 65 (61 percent) of OPM's 107 mission-critical federal
     systems involved the use of contractors for Year 2000 remediation. Also
     of concern is that RISS sent code associated with 7 mission-critical
     systems to a contractor facility for remediation, and agency officials
     could not readily determine how the code was protected after transit to
     the contractor facility, when the code was out of the agency's direct
     control.

   * OPM officials did not have complete data on the involvement of foreign
     nationals in software change process activities. However, officials
     told us that one of two contracts issued by RISS for remediation of 57
     mission-critical systems involved foreign nationals.

We requested comments on a draft of this letter from your office. You
provided us with written comments that are included in the enclosure. In
your comments, you stated that OPM is actively improving system development
procedures to reflect the Carnegie Mellon University Software Engineering
Institute's Capability Maturity Model for Software (SW-CMM) and that you
have set an ultimate goal to achieve a SW-CMM level 3 process. We encourage
you to proceed on this course.

In addition, we suggest that you review related contract oversight and
personnel policies and practices and implement any changes that you deem
necessary. Because we also identified software control weaknesses at other
agencies covered by our review, we have recommended that OMB clarify its
guidance to agencies regarding software change controls as part of broader
revisions that OMB is currently developing to Circular A-130, Management of
Federal Information Resources.

We appreciate OPM's participation in this study and the cooperation we
received from officials at your office and at the OPM components covered by
our review. If you have any questions, please contact me at (202) 512-6240
or by e-mail at [email protected], or you may contact Jean Boltz,
Assistant Director, at (202) 512-5247 or by e-mail at [email protected].

Sincerely yours,

David L. McClure

Associate Director, Governmentwide

and Defense Information Systems

Enclosure

(511988)
  
*** End of document. ***