Information Security: Software Change Controls at the Department of
Veterans Affairs (Correspondence, 06/30/2000, GAO/AIMD-00-201R).

Pursuant to a congressional request, GAO reviewed the Department of
Veteran Affairs' (VA) software change controls, focusing on: (1) whether
key controls as described in agency policies and procedures regarding
software change authorization, testing, and approval complied with
federal guidance; and (2) the extent to which agencies contracted for
year 2000 remediation of mission-critical systems and involved foreign
nationals in these efforts.

GAO noted that: (1) the component-level policies and procedures used by
VA components were adequate except the Veterans Benefits Administration
did not address controlling installation of operating system software;
(2) however, departmental guidance for software change control was
limited to restricting access to operating system software and
investigating unusual change activity; (3) the department-level policies
did not address the following key controls: (a) documenting, approving,
and testing software changes; (b) controlling application software
libraries; and (c) monitoring changes, access to, and use of operating
system software; (4) based on GAO's interviews, agency officials were
not familiar with contractor practices for software management; (5) this
is of some concern because VA used contract services for 40 (13 percent)
of VA's 305 mission-critical systems included in GAO's review; (6)
however, VA did not describe the protective controls in place to prevent
unauthorized disclosure of code or unauthorized access to code; (7)
therefore, GAO cannot evaluate the adequacy of these controls; (8)
according to VA's comments, VA did not use the renovated code for these
two mission-critical systems because the contractors had not completed
the task; (9) nevertheless, as a general practice, controls over code
are important during the transmission of code to a contractor facility
and while at the contractor facility to prevent disclosure of code for
intelligence gathering by malicious individuals; (10) VA officials told
GAO that the nine contracts for year 2000 remediation services did not
include provisions for background screening of personnel; (11) this is a
potential concern because one contract for remediation of source code
for a Veterans Health Administration project management system involved
a foreign national; and (12) also, Office of Management and Budget and
National Institute of Standards and Technology criteria require
background screening of key staff involved with automated systems.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-201R
     TITLE:  Information Security: Software Change Controls at the
	     Department of Veterans Affairs
      DATE:  06/30/2000
   SUBJECT:  Computer software
	     Information resources management
	     Employment of foreign nationals
	     Computer security
	     Computer software contracts
	     Internal controls
	     Contractor personnel
	     Computer software verification and validation
	     Contract oversight
IDENTIFIER:  Y2K

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD-00-201R

B-285557

June 30, 2000

Mr. Robert P. Bubniak

Acting Principal Deputy Assistant Secretary

for Information and Technology

Department of Veterans Affairs

Subject: Information Security: Software Change Controls at the Department of
Veterans Affairs

Dear Mr. Bubniak:

This letter summarizes the results of our recent review of software change
controls at the Department of Veterans Affairs (VA). Controls over access to
and modification of software are essential in providing reasonable assurance
that system-based security controls are not compromised. Without proper
software change controls, there are risks that security features could be
inadvertently or deliberately omitted or rendered inoperable, processing
irregularities could occur, or malicious code could be introduced. If
related personnel policies for background checks and system access controls
are not adequate, there is a risk that untrustworthy and untrained
individuals may have unrestricted access to software code, terminated
employees may have the opportunity to compromise systems, and unauthorized
actions may not be detected.

VA was 1 of 16 agencies included in a broader review of federal software
change controls that we conducted in response to a request by Representative
Stephen Horn, Chairman, Subcommittee on Government Management, Information
and Technology, House Committee on Government Reform. The objectives of this
broader review were to determine (1) whether key controls as described in
agency policies and procedures regarding software change authorization,
testing, and approval complied with federal guidance and (2) the extent to
which agencies contracted for Year 2000 remediation of mission-critical
systems and involved foreign nationals in these efforts. The aggregate
results of our work were reported Information Security: Controls Over
Software Changes at Federal Agencies (GAO/AIMD-00-151R, May 4, 2000), which
we are sending with this letter.

For the VA segment of our review, we interviewed officials in VA's Office of
Information and Technology and Year 2000 project staff at two of the four VA
components responsible for remediation of mission-critical systems for the
Year 2000. These VA components, the Veterans Benefits Administration (VBA)
and the Veterans Health Administration (VHA), remediated 305 of VA's 316
mission-critical systems. We also obtained pertinent written policies and
procedures from these components and compared them to federal guidance
issued by the Office of Management and Budget (OMB) and the National
Institute of Standards and Technology (NIST). We did not observe the
components' practices or test their compliance with their policies and
procedures. We performed our work from January through March 2000 in
accordance with generally accepted government auditing standards.

Overall, we identified weaknesses in three areas: formally documented
policies and procedures, contract oversight, and background screening
practices.

   * The component-level policies and procedures used by VA components were
     adequate except that VBA did not address controlling installation of
     operating system software. However, departmental guidance for software
     change control was limited to restricting access to operating system
     software and investigating unusual change activity. The
     department-level policies did not address the following key controls.

   * Documenting, approving, and testing software changes.
   * Controlling application software libraries.
   * Monitoring changes, access to, and use of operating system software.

   * Based on our interviews, agency officials were not familiar with
     contractor practices for software management. This is of some concern
     because VA used contract services for 40 (13 percent) of VA's 305
     mission-critical systems included in our review. For example, VBA sent
     code for two mission-critical systems to a contractor's facility, but
     agency officials did not tell us how the code was protected after
     transit to the contractor facility, when the code was out of the
     agency's direct control. In your comments on a draft of this letter,
     you stated that the code was fully protected. However, you did not
     describe the protective controls in place to prevent unauthorized
     disclosure of code or unauthorized access to code. Therefore, we cannot
     evaluate the adequacy of these controls. According to your comments, VA
     did not use the renovated code for these two mission-critical systems
     because the contractors had not completed the task. Nevertheless, as a
     general practice, controls over code are important during the
     transmission of code to a contractor facility and while at the
     contractor facility to prevent disclosure of code for intelligence
     gathering by malicious individuals.

   * VA officials told us that the nine contracts for Year 2000 remediation
     services did not include provisions for background screening of
     personnel. This is of potential concern because one contract for
     remediation of source code for a VHA project management system involved
     a foreign national. Also, OMB and NIST criteria require background
     screening of key staff involved with automated systems.

We requested comments on a draft of this letter from your office. You
provided us with written comments that are included in the enclosure. In
your comments, you mentioned VA's planned implementation of a formal
certification and accreditation process that you said would assure the
effectiveness of security measures. As part of this improvement effort, we
suggest that you review VA's software change control policies and procedures
and consider adopting industry best practices, such as the Carnegie Mellon
University Software Engineering Institute's Capability Maturity Model for
Software. In addition, in light of the weaknesses we found, we also suggest
that you review related contractor oversight and personnel policies and
procedures and make any changes you deem necessary.

We have identified software control weaknesses at other agencies covered by
our review; therefore, we have recommended that OMB clarify its guidance to
agencies regarding software change controls as part of broader revisions
that OMB is currently making to Circular A-130, Management of Federal
Information Resources.

We appreciate VA's participation in this study and the cooperation we
received from officials at your office and at the VA components covered by
our review. If you have any questions, please contact me at (202) 512-6240
or by e-mail at [email protected], or you may contact Jean Boltz,
Assistant Director, at (202) 512-5247 or by e-mail at [email protected].

Sincerely yours,

David L. McClure

Associate Director, Governmentwide

and Defense Information Systems

Enclosure

(511993)
  
*** End of document. ***