Computer Security: FAA Needs to Improve Controls Over Use of Foreign
Nationals to Remediate and Review Software (Letter Report, 12/23/1999,
GAO/AIMD-00-55).

Pursuant to a congressional request, GAO provided information on the
Federal Aviation Administration's (FAA) security controls over
information on the foreign nationals involved in remediating and
reviewing software, focusing on: (1) the extent to which foreign
nationals were involved in year 2000 code remediation and subsequent
code review activities at FAA; and (2) FAA's policies covering this
involvement.

GAO noted that: (1) FAA policy requires system owners and users to
prepare risk assessments for all contractor tasks, and to have
background investigations conducted for all contractor employees in
high-risk positions; (2) FAA also requires more limited background
checks for moderate- and low-risk positions; (3) FAA's mission-critical
systems requiring year 2000 repairs--including some of the most
important systems supporting the air traffic control system--were
remediated by a mix of FAA and contractor employees and, in the case of
commercial-off-the-shelf products, by the product vendors; (4) while FAA
did not maintain detailed information on individuals assigned to perform
year 2000 code remediation, FAA compiled some of this information in
response to GAO's request; (5) in doing so, FAA identified instances
where foreign nationals, employed by contractors, performed year 2000
code remediation activities; (6) of 153 mission-critical systems that
were remediated, 15 had foreign national involvement--including Chinese,
Ukrainian, and Pakistani nationals; (7) FAA was unable to provide any
information about the individuals who performed code remediation for 4
of the 153 systems; (8) with regard to code reviews, 20 key
mission-critical systems have been, or are in the process of being,
reviewed by two contractors who have foreign national employees; (9) one
code review contractor employed 36 mainland Chinese nationals while the
other employed one Canadian national; (10) FAA, however, did not perform
background searches on all of its contractor employees, as required by
policy; (11) the agency did not perform risk assessments and was unaware
of whether it or the contractor had performed background searches on all
the contractor employees, including the foreign nationals; (12) during
GAO's review, GAO found instances where background searches of foreign
nationals were not performed; (13) FAA's failure to perform risk
assessments, its lack of complete information on whether background
searches were performed, and the fact that some foreign nationals did
not undergo background searches have increased the risk that
inappropriate individuals may have gained access to FAA's facilities,
information, or resources; and (14) as a result, the air traffic control
system may be more susceptible to intrusion and malicious attacks.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-55
     TITLE:  Computer Security: FAA Needs to Improve Controls Over Use
	     of Foreign Nationals to Remediate and Review
	     Software
      DATE:  12/23/1999
   SUBJECT:  Computer security
	     Data integrity
	     Y2K
	     Computer software verification and validation
	     Contractor personnel
	     Air traffic control systems
	     Security clearances
	     Contract administration
	     Internal controls
	     Aliens
IDENTIFIER:  Y2K
	     FAA Display System Replacement
	     FAA Automated Radar Terminal System IIIA
	     FAA Voice Switching and Control System
	     FAA Year 2000 Program

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
Rev-LG logo.eps GAO United States General Accounting Office

Report to the Chairman, Committee on Science, House of
Representatives

December 1999 COMPUTER SECURITY

FAA Needs to Improve Controls Over Use of Foreign Nationals to
Remediate and Review Software

GAO/AIMD-00-55

  GAO/AIMD-00-55

Page 1 GAO/AIMD-00-55 FAA's Use of Foreign Nationals United States
General Accounting Office

Washington, D. C. 20548 Accounting and Information Management
Division

B-284308 Letter

December 23, 1999 The Honorable F. James Sensenbrenner, Jr.
Chairman Committee on Science House of Representatives

Dear Mr. Chairman: To address the Year 2000 (Y2K) computing
problem, public and private organizations across the nation have
required large numbers of skilled computer programmers and systems
managers to remediate, test, and review mission- critical systems.
The nationwide demand for skilled programmers has raised questions
as to whether key organizations used foreign nationals in their
Y2K activities and how any such use was controlled. At your
request, we identified the extent to which foreign nationals were
involved in Y2K code remediation and subsequent code review
activities at the Federal Aviation Administration (FAA) 1 and the
agency's policies covering this involvement. On December 16, 1999,
we

briefed your office on the results of our work. The briefing
slides are included in appendix I. This report provides a high-
level summary of the information presented at that briefing,
including FAA's internal policies on using foreign nationals and
its actual use of foreign nationals to remediate code and perform
Y2K code reviews. Results in Brief FAA policy requires system
owners and users to prepare risk assessments for all contractor
tasks, and to have background investigations conducted

for all contractor employees in high- risk positions. FAA also
requires more limited background checks for moderate- and low-
risk positions. FAA's mission- critical systems requiring Y2K
repairs including some of the most important systems supporting
the air traffic control system were 1 Code remediation involved
repairing and/ or testing systems software, while code reviews
involved an independent, line- by- line review of a copy of the
systems source code in order to identify any date dependencies.

B-284308 Page 2 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

remediated by a mix of FAA and contractor employees and, in the
case of commercial- off- the- shelf products, by the product
vendors. While FAA did not maintain detailed information on
individuals assigned to perform Y2K code remediation, FAA compiled
some of this information in response to our request. In doing so,
FAA identified instances where foreign nationals, employed by
contractors, performed Y2K code remediation activities (i. e.,
code repair and/ or testing). Of 153 mission- critical systems
that were remediated, 15 had foreign national involvement
including Chinese, Ukrainian, and Pakistani nationals. FAA was
unable to provide any information about the individuals who
performed code remediation for 4 of the 153 systems. 2 With regard
to code reviews, 20 key mission- critical systems have been, or
are in the process of being, reviewed by two contractors who have
foreign

national employees. One code review contractor employed 36
mainland Chinese nationals while the other employed one Canadian
national. FAA, however, did not perform background searches
investigations or checks on all of its contractor employees, as
required by its policy.

Specifically, the agency did not perform risk assessments and was
unaware of whether it or the contractor had performed background
searches on all of the contractor employees, including the foreign
nationals. During our review, we found instances where background
searches of foreign nationals were not performed. For example, no
background searches were performed on the 36 mainland Chinese
nationals who performed code reviews, according to FAA and the
contractor, Primeon. FAA's failure to perform risk assessments,
its lack of complete information on whether

background searches were performed, and the fact that some foreign
nationals did not undergo background searches have increased the
risk that inappropriate individuals may have gained access to
FAA's facilities,

information, or resources. As a result, the air traffic control
system may be more susceptible to intrusion and malicious attacks.

To address these issues, we are making recommendations to the FAA
Administrator to improve FAA's security controls, identify the
risk of malicious attacks on critical systems, and mitigate this
risk. FAA has

agreed with our recommendations in these areas and is moving to
implement them. In addition, FAA officials stated that the agency
has five layers of system protection, which they believe make the
risk of intrusion 2 FAA officials stated that these four systems
were commercial- off- the- shelf products.

B-284308 Page 3 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

extremely low. We anticipate evaluating the five layers of system
protection as part of our continuing efforts to monitor the
agency's progress in addressing computer security weaknesses.

Background The Y2K computing challenge provides a vivid example of
the need to protect critical systems. It illustrates the
government's widespread dependence on systems and their
vulnerability to disruption. During the Y2K conversion period, it
was important that agencies be especially

attuned to security issues because most agencies were under severe
time constraints to make an unprecedented number of software
changes. To the extent that this was not done, there is the danger
of already weak controls being further compromised if agencies
bypassed or truncated security in an

effort to speed the software modification process. This increases
the risk that erroneous or malicious code could be implemented and
that inadequately tested systems could be rushed into use.

FAA's primary mission is to ensure safe, orderly, and efficient
air travel throughout the United States. FAA's ability to fulfill
this mission depends on the adequacy and reliability of the
nation's air traffic control (ATC) system, a vast network of
computer hardware, software, and communications equipment that
provides information to air traffic controllers and aircraft
flight crews to ensure safe and expeditious movement of aircraft.
FAA's ATC network is an enormous, complex collection of
interrelated systems,

including navigation, surveillance, weather, and automated
information processing and display systems that reside at, or are
associated with, hundreds of ATC facilities. Complex
communications networks that separately transmit both voice and
digital data interconnect these systems

and facilities. As stated in our 1997 and 1999 reports on high-
risk issues, 3 while the use of interconnected systems promises
significant benefits in improved government operations, it also
increases vulnerability to anonymous intruders who may manipulate
data to commit fraud, obtain sensitive information, or severely
disrupt operations. In May 1998, we reported that FAA had weak
computer security practices that jeopardized flight safety and
concluded that FAA was ineffective in all critical areas reviewed
facilities physical security, operational systems information
security, future systems modernization security, and

3 High- Risk Series: Information Management and Technology
(GAO/HR-97-09, February 1997) and High- Risk Series: An Update
(GAO/HR-99-1, January 1999).

B-284308 Page 4 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

management structure and policy implementation. 4 First, we
reported that there were known weaknesses at many ATC facilities
and that FAA was unaware of weaknesses that might have existed at
other locations. Second, FAA was ineffective in managing systems
security for its operational systems and was in violation of its
own policy. Third, FAA was also not

effectively managing systems security for future ATC modernization
systems. Finally, we reported that FAA's management structure and
implementation of policy for ATC computer security was
ineffective, with security responsibilities distributed among
three organizations that had all been remiss in their ATC security
duties. To address these weaknesses, we made a series of
recommendations on

physical security at FAA facilities, operational ATC systems
security, future ATC modernization systems security, and
management structure and policy implementation. FAA generally
agreed with these recommendations and is in the process of
implementing them. For example, in February 1999, FAA established
a Chief Information Officer position with responsibility for
developing, implementing, and enforcing the agency's information
security

policy. FAA's efforts to address physical and systems security
weaknesses are underway. FAA Security Policies Require Background
Searches for

Contractor Employees Security program management and the related
security controls over

access to data, systems, and software programs are central factors
affecting an organization's ability to protect its information
resources and the program operations that these resources support.
Federal agencies must protect the integrity, confidentiality, and
availability of the information resources they rely on. FAA has a
personnel security program order, a human resource policy manual,
and a required contract clause that detail the requirements to be
met by both FAA and contractor employees

and the actions FAA must take to ensure the credibility of these
individuals. All three policies allow for the hiring of foreign
nationals.

FAA's personnel security program order requires background
investigations to be conducted for all FAA employees. In addition,
this order requires system owners and users to prepare a risk
assessment to determine the level of risk associated with
contracts. Depending on the level of risk identified, the order
then requires FAA to perform background searches 4 Air Traffic
Control: Weak Computer Security Practices Jeopardize Flight Safety
(GAO/AIMD-98-155, May 18, 1998).

B-284308 Page 5 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

investigations or checks for contractor employees who have
comparable exposure to FAA's facilities, information, or
resources. 5 Specifically, FAA requires that background
investigations be conducted for contractor employees in high- risk
positions and that more limited background checks be conducted for
contractor employees in moderate- and low- risk positions.

FAA's human resource policy manual restricts hiring to U. S.
citizens and nationals (residents of American Samoa and Guam) but
allows for exceptions. Specifically, FAA may hire foreign
nationals if (1) there are an insufficient number of well-
qualified applicants and/ or (2) there is an emergency, in which
case, these individuals can be hired for a brief period

of time. FAA officials noted that they were not aware of any
instances in which FAA had hired foreign nationals. In addition,
FAA specifies that all of its contracts include a clause requiring
contractors to hire U. S. citizens or aliens that are in the
country legally as evidenced by either a green card 6 or the
appropriate work visa, if work is likely to be performed at an FAA
location. There was, however, some confusion about this clause
within FAA. Some FAA employees considered the clause mandatory,
while others considered it optional. As a result, the

clause may have been inappropriately excluded from some of the
contracts under which the Y2K code remediation activities were
performed.

FAA Contractors Used Foreign Nationals for Y2K Code Remediation,
But Not All Had Required Background Searches

FAA contractors used foreign nationals to help remediate mission-
critical systems. Of 153 mission- critical systems that underwent
code repair and/ or testing, FAA advised us that 15 had some
degree of foreign national involvement. These 15 systems included
key ATC, communications, and administrative systems. For example,
the Traffic Flow Management Infrastructure- Enhanced Traffic
Management System, which is used to manage traffic flow across the
National Airspace System, was remediated with the assistance of
two Chinese, one Ethiopian, one Irish, and one Ukrainian. The
Oceanic Automation System, which provides oceanic controllers with
a situation display of aircraft positions, was remediated

5 FAA does not require background searches on temporary contractor
employees in low- risk positions. 6 A green card is an alien
registration receipt card, which documents that a foreign national
has obtained permanent residency in the United States.

B-284308 Page 6 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

with the assistance of two British nationals. For four mission-
critical systems, the degree of foreign national involvement, if
any, was unknown by FAA. 7 In overseeing these contracts, however,
FAA did not adhere to its own

policy requiring background searches to be performed for all
contractor employees. When asked about the required background
searches, the Y2K Program Office acknowledged that it was unaware
of this requirement and did not know whether background searches
had been performed for all contractor employees, including the
foreign nationals involved in Y2K code

remediation activities. The Associate Administrator for Research
and Acquisitions stated the Office of Acquisitions was also
unaware of the requirement to conduct background searches of
contractor employees. In addition, we contacted three contracting
officer technical representatives for key air traffic control
systems, who stated that they had not performed

background searches of contractor employees and, in some
instances, did not review resumes.

By not following sound security practices, FAA has increased the
risk of inappropriate individuals gaining access to FAA's
facilities, information, or resources. As a result, there is
inherently more risk that unauthorized changes, which are
difficult to detect, could have been made during code

renovation. In addition, program errors detected during testing
may not have been identified for correction by individuals
intending harm, resulting in potential system errors. While the
scope of our work did not include identifying instances of code
tampering or illegal activities and we did not find any such
instances during our review, FAA's failure to adhere to its own
policies has increased the risk that malicious code tampering may
have occurred and may not have been detected.

7 FAA stated that these four systems the BandWidth Manager
Network, the Operation Support Telephone System, the ASU- 400
Local Area Network, and CCMail were commercial- off- the- shelf
products.

B-284308 Page 7 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

FAA Contractors Used Foreign Nationals to Perform Y2K Code
Reviews, But Not All Had Required Background Searches

FAA hired two contractors (Primeon and Computer Generated
Solutions, Inc.) through the General Services Administration to
perform Y2K code reviews of 20 mission- critical systems. With
respect to Y2K compliance, code reviews entail a line- by- line
analysis of a copy of the program source code to identify and
evaluate date- related fields. According to FAA officials, a copy
of the program source code was provided in its entirety to the

contractors on various media (e. g., floppy disk, zip drive) and,
in most cases, via express mail. 8 For each system, the
contractors were required to provide a final report of the review
results to the appropriate Y2K program office, and the system
owners were expected to address any identified issues. FAA also
required both contractors to sign nondisclosure agreements
requiring the return or destruction of all copies of the program
source code provided by FAA.

These code reviews have been and continue to be performed for
systems that FAA has identified as the most important. To date, 17
of 20 systems have been reviewed with 2 currently being reviewed
and 1 scheduled for review, according to FAA officials. The
universe of systems is comprised of key ATC, communications, and
administrative systems. For example, systems that have undergone
code reviews include the Display System Replacement (DSR), which
displays radar data to controllers in the en route environment,
and the Automated Radar Terminal System IIIA (ARTS IIIA), which is
the critical data processing system used in terminal radar
approach control facilities to provide essential aircraft position
and flight plan information to controllers.

Primeon was tasked with reviewing the code of eight mission-
critical systems, including DSR, ARTS IIIA, and the Voice
Switching and Control System (VSCS) a critical system that
supports ground- to- ground and airto-

ground communications in the terminal radar approach control
environment. According to Primeon and FAA, 36 mainland Chinese
nationals performed these code reviews. However, neither FAA nor

Primeon had performed background searches on these employees. 8
Code reviewers were not given direct access to operational
systems, so they did not have the ability to directly insert code.

B-284308 Page 8 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

Computer Generated Solutions, Inc. (CGS) was tasked with reviewing
the code of 13 mission- critical systems, 9 including the Terminal
Doppler Weather Radar and the Host Environment the key information
processing system in FAA's en route environment. According to CGS
and FAA, there

was one Canadian national whose involvement was limited to
contract administration. This person should have undergone a
criminal background investigation under CGS' recruiting policy,
but FAA did not confirm that this had occurred. According to an
FAA official, the agency did not conduct background searches of
CGS' employees.

As stated earlier, while FAA requires background searches to be
performed for all contractor employees, regardless of citizenship
status, this policy is not being adequately enforced. FAA's
failure to conduct background

searches increases the risk that unauthorized individuals will
gain access to FAA's facilities, information, or resources. In the
case of code reviews, individuals intending harm may not bring to
FAA's attention program errors that may have been detected during
the code review process. In addition, copies of the code could be
sold and/ or reviewed to identify systems weaknesses that could
later be exploited.

While the scope of our work did not include identifying instances
of intrusions or illegal activities and we did not find any such
instances during our review, FAA's failure to adhere to its own
policies has increased the risk that its critical systems could be
copied, distributed, and studied for weaknesses. Additionally,
given the nature of code reviews, this type of

activity may have occurred but not have been detected. Conclusions
By not following sound security practices, FAA has increased the
risk that inappropriate individuals may have gained access to its
facilities,

information, or resources. FAA has not adequately (1) enforced its
policy requiring background searches of contractor employees, (2)
instructed its personnel on when to use the contract clause
regarding citizenship requirements for contractor personnel, and
(3) maintained records of all individuals assigned to work on
mission- critical systems. FAA now faces a major task in assessing
and addressing the increased risks to several of its mission-
critical systems as a result of its failure to ensure that
background

searches were conducted. The implications of FAA's actions extend
well 9 Because both contractors reviewed ARTS IIIA, there are a
total of 21 code reviews on 20 systems.

B-284308 Page 9 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

beyond the Y2K date rollover and, as such, require FAA to act
swiftly and decisively in its efforts to identify and mitigate the
potential risk of intrusions and malicious attacks.
Recommendations In order to address weaknesses in the enforcement
of its policies and to

identify and mitigate the risk of malicious intrusions or attacks
on missioncritical FAA systems, we recommend that the FAA
Administrator direct:

 FAA's Associate Administrator for Civil Aviation Security to
clarify the requirements for contractor employee background
investigations or checks and establish a process under which
background investigations

or checks are performed for all contractor staff where applicable.
To increase the effectiveness of such an action, the Associate
Administrator must also ensure that risk assessments are prepared
with appropriate input from system owners and users.

 FAA's Associate Administrator for Research and Acquisitions to
provide guidance on contract provisions, such as mandatory versus
optional clauses, and enforce the appropriate use of these
clauses. The Associate

Administrator should instruct personnel to review current and
pending contracts to ensure that all applicable contract
provisions are included. In addition, the reasonableness of all
clause limitations should be reviewed.  The appropriate FAA entity
to maintain records of the individuals, both

FAA and contractor employees, working on systems, especially
missioncritical applications.  The appropriate FAA entity to
perform security reviews of critical

systems that have been remediated under contract.  The appropriate
FAA entity to carefully control access to and

distribution of program source code, in conjunction with security
reviews.  The appropriate FAA entity to perform a risk assessment
for code

reviews conducted by Primeon to determine the potential exposure
and consider retroactively performing background investigations of
Primeon's staff.

Agency Comments On December 13, 1999, we discussed the results of
our review with FAA officials and incorporated their comments as
appropriate. FAA officials agreed with our findings and the
necessary corrective actions. Senior FAA officials also informed
us that the agency had issued a policy memorandum

B-284308 Page 10 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

effective December 10, 1999, calling attention to the requirements
of FAA's personnel security program order. The agency has also
begun the process of identifying the extent to which it or its
contractors have performed background checks or investigations of
contractor employees. In addition, FAA has tasked its Servicing
Security Elements organization with the responsibility of
maintaining records of individuals, both FAA and

contractor employees, who are working on systems. On December 21
and 22, 1999, FAA officials, including the Acting Deputy
Administrator, the Assistant Administrator for Information
Services and Chief Information Officer, the Associate
Administrator for Research and Acquisitions, and the Associate
Administrator for Civil Aviation Security, provided additional
comments. These officials stated that because FAA has five layers
of systems protection, they believe that the risk of intrusion is
extremely low. We anticipate evaluating FAA's layers of systems
protection

as part of our continuing efforts to monitor the agency's progress
in addressing computer security weaknesses. Objectives, Scope, and
Methodology

As requested, our objectives were to determine whether FAA had
policies governing the use of foreign nationals for Y2K code
remediation activities, the extent to which foreign nationals and
offshore facilities were used to

remediate code, and the extent to which foreign nationals were
involved in code reviews. To achieve our objectives, we
interviewed officials within several administrative offices, 10
the Y2K program office, and the Y2K program office for each
respective line of business. We also contacted system
representatives and officials of both the Facility Services and
Engineering Division and Civil Aviation Security at the William J.
Hughes Technical Center in Atlantic City, New Jersey.

To determine whether FAA had policies governing the use of foreign
nationals for Y2K remediation activities, we met with officials
and requested copies of policies developed by administrative
offices within FAA. To assess the degree of foreign nationals and
offshore facilities involvement in Y2K code remediation, we
reviewed and analyzed

10 These administrative offices included the Office of Information
Services/ Chief Information Officer, Office of Civil Aviation
Security Operations, Office of Civil Aviation Security Policy and
Planning, Office of Personnel, and Office of Acquisitions.

B-284308 Page 11 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

information provided from the various Y2K program offices and
interviewed system officials on a sample of mission- critical
systems. To assess the degree of foreign national involvement in
code review activities,

we also reviewed and analyzed information provided by FAA
officials. During the course of this review, we did not focus on
identifying any instances of code tampering or other malicious
activities.

We conducted our work at the Federal Aviation Administration in
Washington, D. C., and the William J. Hughes Technical Center in
Atlantic City, New Jersey. We performed our work from October
through December

1999 in accordance with generally accepted government auditing
standards. We provided a copy of the briefing materials used in
preparing this report to FAA and Department of Transportation
(DOT) officials. FAA and DOT

officials including the Deputy Assistant Administrator of the
Office of Information Services/ Chief Information Officer (CIO),
the Associate Administrator for Research and Acquisitions, the
Chief of Staff of the Office of the Administrator, the Director of
Airway Facilities Service, the Year 2000 Program Office Manager,
the Year 2000 Program Manager for Air Traffic Services,
representatives from the Office of Civil Aviation Security

and Office of Acquisitions, and a representative for the DOT CIO
Office provided oral comments on the briefing. In addition, we
provided a draft of this letter to FAA for comment. We have
incorporated FAA's comments as appropriate throughout this report.

As agreed with your office, unless you publicly announce the
contents of this report earlier, we plan no further distribution
until 30 days from the date of this report. At that time, we will
send copies to Senator Robert F. Bennett, Senator Christopher J.
Dodd, Senator Fred Thompson, Senator Joseph I. Lieberman, Senator
Richard C. Shelby, Senator Frank R.

Lautenberg, Senator Slade Gorton, Senator John D. Rockefeller IV,
Representative Ralph M. Hall, Representative Constance A. Morella,
Representative James A. Barcia, Representative Steven Horn,
Representative Jim Turner, Representative Frank R. Wolf,
Representative Martin O. Sabo, Representative John J. Duncan, and
Representative William O. Lipinski in their capacities as Chair or
Ranking Minority

Members of Senate and House Committees and Subcommittees. We are
also sending copies of this report to the Honorable Rodney E.
Slater, Secretary of Transportation; the Honorable Jane Garvey,
Administrator of the Federal Aviation Administration; the
Honorable John Koskinen,

B-284308 Page 12 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

Chairman of the President's Council on Year 2000 Conversion; and
the Honorable Jacob J. Lew, Director of the Office of Management
and Budget. Copies will also be made available to others upon
request.

If you have any questions on matters discussed in this letter,
please call me at (202) 512- 6408 or Colleen Phillips, Assistant
Director, at (202) 512- 6326. We can also be reached by e- mail at
willemssenj. aimd@ gao. gov and phillipsc. aimd@ gao. gov,
respectively. Key contributors to this assignment were Cynthia
Jackson, William Lew, and Keith Rhodes.

Sincerely yours, Joel C. Willemssen Director, Civil Agencies
Information Systems

Page 13 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

Page 14 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

Appendix I December 16, 1999, Briefing Before the House Committee
on Science Appendi x I

1

G A O

Accountability Integrity Reliability

Use of Foreign Nationals in Year 2000 Code Remediation and Review
Activities

at the Federal Aviation Administration U. S. House of
Representatives

Committee on Science December 16, 1999

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 15 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

2

G A O

Accountability Integrity Reliability

 Objectives, Scope, and Methodology  FAA Policies Governing Use of
Foreign Nationals  FAA's Utilization of Foreign Nationals or
Offshore

Entities to Remediate Code  FAA's Utilization of Foreign Nationals
to Review Code  Summary of Observations  Suggested Actions

Briefing Overview

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 16 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

3

G A O

Accountability Integrity Reliability Objectives

 Determine whether FAA has policies governing the use of foreign
nationals for Year 2000 code remediation activities

 Determine the extent to which FAA used foreign nationals or
offshore facilities to remediate code

 Determine the extent to which FAA used foreign nationals to
perform code reviews

Objectives, Scope, and Methodology

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 17 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

4

G A O

Accountability Integrity Reliability Scope

FAA  Administrative Offices  Year 2000 Program Office  Year 2000
Program Office for each respective line of

business (LOB)  William J. Hughes Technical Center

Objectives, Scope, and Methodology (cont'd)

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 18 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

5

G A O

Accountability Integrity Reliability Methodology

 Identified FAA policies governing the hiring of foreign nationals
by FAA and contractors  Assessed information on the use of foreign
nationals and offshore

entities to perform or oversee Year 2000 code remediation
activities  Interviewed FAA system officials on a sample of
mission- critical

systems  Obtained FAA comments on a draft of the slides and
incorporated

changes as appropriate  Performed work in accordance with
generally accepted

government auditing standards from October through December 1999

Objectives, Scope, and Methodology (cont'd)

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 19 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

6

G A O

Accountability Integrity Reliability FAA Policies Governing

Use of Foreign Nationals

FAA's Personnel Security Program Order  requires background
investigations to be performed for FAA

employees  requires background checks or investigations to be
performed for

contractor employees who have comparable exposure to FAA's
facilities, information, or resources, except for temporary
contractor employees in low- risk positions  the type of
background check or investigation required is based on

the level of risk determined by the FAA system owner and users
However,  the Year 2000 Program Office was unaware of this
requirement  we identified instances where background checks or

investigations were not performed for contractor employees

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 20 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

7

G A O

Accountability Integrity Reliability FAA Policies Governing

Use of Foreign Nationals (cont'd)

FAA's Human Resource Policy Manual  restricts hiring to U. S.
citizens and nationals (residents

of American Samoa and Guam) but allows for exceptions  FAA may
hire foreign nationals if

 there are an insufficient number of well- qualified applicants,
and/ or  there is an emergency, in which case, these

individuals can be hired for a brief period of time

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 21 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

8

G A O

Accountability Integrity Reliability FAA Policies Governing

Use of Foreign Nationals (cont'd)

FAA's Required Contract Clause  requires contractors to hire U. S.
citizens or aliens who

have been lawfully admitted for permanent residence as evidenced
by a green card, or who meet other Immigration and Naturalization
Service requirements

However, the clause  is applicable only if contractor employees
are likely to

perform work at FAA locations  some FAA employees consider the
clause mandatory

while others consider it optional

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 22 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

9

G A O

Accountability Integrity Reliability FAA Policies Governing

Use of Foreign Nationals (cont'd)

FAA's Required Contract Clause (cont'd)  according to the Year
2000 Program Office,

information was not readily available regarding the inclusion of
this clause in current contracts

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 23 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

10

G A O

Accountability Integrity Reliability FAA's Utilization of

Foreign Nationals for Y2K Code Remediation

 Neither the Year 2000 Program Office nor the respective LOBs Year
2000 Program Offices routinely maintain information on the
individuals who performed code remediation  FAA did not know if
background checks or investigations were

performed for contractor employees  Risk assessments were not
prepared  However, according to FAA, remediation work was
performed

with existing contractors  In response to our request for
information on contract staff,

FAA contacted the system owners and respective contracting firms
and inquired as to the use of foreign nationals

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 24 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

11

G A O

Accountability Integrity Reliability

Summary of foreign national involvement in FAA's Y2K code
remediation activities

 15 (10%) of 153 mission- critical (MC) systems had foreign
nationals performing code repair and/ or testing, according to FAA
officials  1 Commercial- off- the- shelf (COTS) system was
remediated by a

foreign- owned firm  ACT Telecommunications System was remediated
by Northern

Telecom, a Canadian firm  The number of foreign nationals
performing code repair and/ or

testing is not known for 4 (3%) of 153 MC systems

FAA's Utilization of Foreign Nationals for Y2K Code Remediation
(cont'd)

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 25 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

12

G A O

Accountability Integrity Reliability

 Based on our review of information provided by FAA and our
observations, we did not identify any FAA employees who were
foreign nationals who performed code remediation  There were
several instances where information was unavailable

 FAA does not know whether background checks or investigations
were performed for all foreign national contractor employees who
performed code remediation

FAA's Utilization of Foreign Nationals for Y2K Code Remediation
(cont'd)

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 26 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

13

G A O

Accountability Integrity Reliability FAA's Utilization of Foreign

Nationals for Y2K Code Remediation (cont'd)

Table 1: Summary of Reported Foreign National Involvement in Code
Repair and/ or Testing for Mission- Critical Systems Repaired
SOURCE: FAA

LOB Number of MC systems requiring repair

Number of MC systems repaired

with no foreign national involvement

Number of repaired MC systems with foreign national

involvement Number of MC

systems repaired with foreign national

involvement unknown Associate Administrator for Research and
Acquisitions (ARA)

26 15 7 4 Associate Administrator for Air Traffic Services (ATS)

65 63 2 0 Associate Administrator for Airports (ARP)

3 2 1 0 Administrative Systems (AAD) 50 49 1 0 Associate
Administrator for Regulation and Certification (AVR)

6 2 4 0 Associate Administrator for Commercial Space
Transportation (AST)

0 0 0 0 Associate Administrator for Civil Aviation Security (ACS)

3 3 0 0 Office of System Safety (ASY) 0 0 0 0

Totals 153 134 15 4

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 27 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

14

G A O

Accountability Integrity Reliability

Table 2: Summary of Mission- Critical Systems Repaired with
Reported Foreign National Involvement in Code Repair and/ or
Testing

FAA's Utilization of Foreign Nationals for Y2K Code Remediation
(cont'd)

SOURCE: FAA *-- Information unavailable 1 Information of the
nationality of FAA employees also unavailable

L O B S y s te m N a m e C o n tr a c to r N a m e

N u m b e r a n d n a tio n a l i t y o f f o r e ig n n a ti o n
a ls

C o n tr a c to r w a s fo r e ig n

o w n e d o r c o n tr o l l e d ?

C o d e r e m e d ia te d

o ff s h o r e ? C o m m en ts

A R A C T X 5 0 0 0 ( E x p lo s iv e D e t e c t i o n S y s t e
m )

I n V is io n * * * C o m m e r c ia l -o f f -th e  s h e l f ( C
O T S ) p r o d u c t. T e s tin g d o n e u t i l i z in g G e r
m a n e n g in e e r s A C T T e le c o m m u n ic a tio n s

S y s te m 1 N o r th e r n

T e le c o m *Ye s ,

C a n a d ia n * C O T S p r o d u c t

T ra ff ic F lo w M a n a g e m e n t I n f r a s tr u c tu r e  E
n h a n c e d T r a ff ic M a n a g e m e n t S y s te m

V o lp e 2 C h i n e s e 1 E th io p ia n

1 I r is h 1 U k r a in ia n

N o U n k n o w n C o n tr a c t s ta f f in v o l v e d in m o d
i fic a tio n a n d t e s tin g a c ti v i t i e s

E n te r p r is e N e tw o r k /H e a d q u a r te r s

D a ta N e t w o r k A M T I 1 V e n e z u e la n N o N o C O T S
p r o d u c t

V o i c e S w i t c h in g a n d C o n tr o l S y s te m 1 I n te
l li s o u r c e * * * F A A s y s t e m

r e p r e s e n t a t i v e s n o te d th a t th e r e w a s 1 fo
r e ig n n a tio n a l i n v o l v e d i n t e s tin g a t th e T
e c h n ic a l C e n te r O c e a n ic A u to m a t io n

S y s te m R a y t h e o n 2 B r itis h N o N o

O c e a n ic S y s te m D e v e lo p m e n t a n d S u p p o r t P
r o d u c ts

R a y t h e o n 2 B r itis h N o N o

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 28 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

15

G A O

Accountability Integrity Reliability

Table 2: Summary of Mission- Critical Systems Repaired with
Reported Foreign National Involvement in Code Repair and/ or
Testing (cont'd)

FAA's Utilization of Foreign Nationals for Y2K Code Remediation
(cont'd)

SOURCE: FAA *-- Information unavailable **-- However, the
individual is now a United States citizen according to FAA

LO B S yste m N a m e C o n tra c to r N a m e N um b er a n d n
atio n ality o f fo reig n n atio nals

C o n tra c to r w a s fo reig n

ow n ed o r c o n tro lle d ?

C od e re m ed ia te d

o ffsh o re? C o m m e n ts

A T S In fo rm a tio n D isp la y S y ste m

S ystem s A tla n ta, In c.

1 L ib e rian N o N o C O T S p ro d u c t. In d iv id u a l in
sta lled c o m m e rc ia l o ff th e sh e lf h a rd w a re N atio
n al A irsp a c e D ata In t erchange

N etw o rk II H u g h e s N etw o rk

S yste m s, D im e n sio n s In tern atio n al, T R IO S , D IT C
O ,

T ech n ical M an agem e nt

A ss is tan ce 2 B ri tish N o N o C O T S p ro d uct.

In d iv id u a ls w ere inv o lv ed in te stin g

A R P A ir C ar r ier A ctiv ity In fo rm a tio n

S yste m V olp e 1 Jap an ese N o N o In d iv id u a l in vo lv ed

in p ro g ra m testin g A A D D ep a rtm e n ta l

A cco u ntin g a n d F in a n cial In fo rm a tio n

S yste m M TS I

CEX E C 6 M a la y sia n s,

1 Pak i stan ia n , 1 In d ia C it izen **

1 V ietn am e se N o

N o N o

N o

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 29 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

16

G A O

Accountability Integrity Reliability

Table 2: Summary of Mission- Critical Systems Repaired with
Reported Foreign National Involvement in Code Repair and/ or
Testing (cont'd)

FAA's Utilization of Foreign Nationals for Y2K Code Remediation
(cont'd)

SOURCE: FAA *-- Information unavailable **-- Contractor expressed
privacy and discrimination concerns about releasing employees'
countries of origin

L O B S y s t e m N a m e C o n t r a c t o r N a m e

N u m b e r a n d n a t i o n a l i t y

o f f o r e i g n n a t i o n a l s

C o n t r a c t o r w a s f o r e i g n

o w n e d o r c o n t r o l l e d ?

C o d e r e m e d i a t e d

o f f s h o r e ? C o m m e n t s

A V R O n l i n e A v i a t i o n S a f e t y I n s p e c t i o n
S y s t e m

G a l a x y S c i e n t i f i c C o r p o r a t i o n

5 * * N o N o S a f e t y P e r f o r m a n c e

A n a l y s i s S y s t e m C o m p u t e r

S c i e n c e s C o r p o r a t i o n

A k u n a T e c h n o l o g i e s ,

I n c . 1 I n d i a

C i t i z e n 1 N i g e r i a n

N o N o

C l i e n t S e r v e r A p p l i c a t i o n s :

F i n a n c i a l T r a c k i n g S y s t e m A i r T r a n s p o
r t a t i o n O v e r s i g h t S y s t e m

D o c u m e n t I m a g i n g W o r k f l o w S u b s y s t e m

E l e c t r o c a r d i o g r a m S u b s y s t e m

J W I n t e r n e t T e c h n o l o g i e s

C G H , I n c A f f i l i a t e d C o m p u t e r

S e r v i c e s M o r t a r a

1 C h i n e s e 1 I n d i a C i t i z e n

2 S o u t h A f r i c a n s

8 I n d i a C i t i z e n s

1 I t a l i a n N o

N o N o

N o N o

N o N o

N o

M a i n f r a m e A p p l i c a t i o n :

I n t e g r a t e d S a f e t y I n f o r m a t i o n S y s t e m

O A O C o r p o r a t i o n

1 , n a t i o n a l i t y

u n k n o w n N o N o

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 30 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

17

G A O

Accountability Integrity Reliability

Table 3: Summary of Mission- Critical Systems Repaired for which
Foreign National Involvement in Code Repair and/ or Testing is
Unknown

FAA's Utilization of Foreign Nationals for Y2K Code Remediation
(cont'd)

SOURCE: FAA *-- Information unavailable 1 Information on the
nationality of FAA employees is also unavailable

LOB System Name Contractor Name

Number and nationality of

foreign nationals

Contractor was foreign

owned or controlled?

Code remediated

offshore? Comments

ARA BandWidth Manager Network 1 * * * * COTS product

received from the Department of Defense Operation Support
Telephone System 1 * * * * COTS product ASU- 400 Local

Area Network * * * * COTS product

CCMail Lotus Development

Corporation * No * COTS product

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 31 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

18

G A O

Accountability Integrity Reliability

FAA hired two contractors (Primeon and Computer Generated
Solutions, Inc.) through the General Services Administration (GSA)
to perform code reviews of 20 mission- critical systems

 Code reviews have been and continue to be performed to identify
potential Year 2000 issues within the remediated code  The reviews
entail a line- by- line analysis of a copy of the program

source code to identify and evaluate date- related fields  For
each system, a final report with the review results is provided to

the appropriate Year 2000 Program Office and identified issues are
expected to be addressed by system owners

FAA's Utilization of Foreign Nationals to Review Code

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 32 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

19

G A O

Accountability Integrity Reliability

Year 2000 system code reviews

FAA's Utilization of Foreign Nationals to Review Code (cont'd)

Primeon-

 Display System Replacement  Automated Radar Terminal System

(ARTS) IIIA***  Common ARTS  National Airspace System Resource

System (Operational Data Management System)  Voice Switching and
Control System  Traffic Flow Management Infrastructure

Enhanced Traffic Management System  Dynamic Ocean Track System
Plus  Host Interface Device/ National Airspace

System/ Local Area Network

Computer Generated Solutions, Inc.-

ARTS IIIA***  Flight Service Automation System  U. S. Notices to
Airmen System  Terminal Doppler Weather Radar  Aeronautical
Information Systems- DEC Alpha  HOST Environment*  Micro- En Route
Automated Radar Tracking

System**  Remote Maintenance Monitoring System*  Integrated
Communication Switching System Litton

Type 2, 3  Departmental Accounting and Financial Information

System  Integrated Personnel Payroll System  Aviation Safety
Analysis System  Airport Air Carrier Reporting System

*-- Code review in process **-- Code review tentatively scheduled
***-- System reviewed by both Primeon and Computer Generated
Solutions, Inc.

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 33 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

20

G A O

Accountability Integrity Reliability

Primeon  Neither the GSA contract nor FAA's statement of work

under that contract prohibited the use of foreign nationals
contractor has a written internal security policy but does not

perform background investigations of employees  employees are
hired based on academic credentials and experience

 According to Primeon and FAA, 36 mainland Chinese nationals
performed code reviews (4 with green cards, 32 with work visas)  A
nondisclosure agreement was signed by Primeon and

certifications were provided to FAA denoting the return or pending
destruction of the media and the purging of electronic copies of
the code

FAA's Utilization of Foreign Nationals to Review Code (cont'd)

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 34 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

21

G A O

Accountability Integrity Reliability

Computer Generated Solutions, Inc. (CGS)  Neither the GSA contract
nor FAA's statement of work under

that contract prohibited the use of foreign nationals  at FAA's
request, contractor prepared a written internal security

policy  contractor conducts a criminal background investigation
prior to

employment  According to CGS and FAA, 1 Canadian national was
involved

in contract administration  A nondisclosure agreement was signed
by CGS requiring the

return or destruction of all copies of software/ firmware and all
documentation provided by FAA or developed by CGS during its
review

FAA's Utilization of Foreign Nationals to Review Code (cont'd)

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 35 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

22

G A O

Accountability Integrity Reliability

 FAA has a policy that requires background checks or
investigations to be performed for contractor employees based upon
the level of risk associated with the project or task, however,
the policy has not always been followed  FAA has a contract clause
that specifies the citizenship criteria for

contractor employees, however,  the clause only applies if the
contractor employees are likely to work at

an FAA location  FAA employees have differing views as to whether
the contract clause is

mandatory or optional  FAA did not maintain information on
individuals assigned to perform

code remediation and/ or code reviews  FAA does not know if
background checks or investigations were

performed for all foreign nationals involved in code remediation
activities

Summary of Observations

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 36 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

23

G A O

Accountability Integrity Reliability

 One of FAA's two code review contractors did not conduct
background investigations of its employees

By not following sound security practices, FAA introduces the risk
of inappropriate individuals gaining access to FAA's facilities,
information, or resources

 unauthorized changes, which are difficult to detect, could be
made during code renovation  program errors detected during
testing and code reviews may not be

identified for correction  copies of the code could be sold and/
or reviewed to identify system

weaknesses that could later be exploited

Summary of Observations (cont'd)

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 37 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

24

G A O

Accountability Integrity Reliability

 Clarify requirements for contractor employee background checks or
investigations, and establish a process to ensure that background
checks or investigations are performed for all contractor staff
where applicable  Ensure that risk assessments are prepared
Provide guidance on contract provisions, such as mandatory versus

optional clauses, and ensure that the clauses are used
appropriately  Review current and pending contracts to ensure that
all applicable contract

provisions are included  Review reasonableness of clause
limitations  Maintain records of the individuals, both FAA and
contractor

employees, working on systems, especially mission- critical
applications

Suggested Actions

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 38 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

25

G A O

Accountability Integrity Reliability

 Perform security reviews of critical systems that have been
remediated

 In conjunction with security reviews, FAA should ensure that
access to and distribution of programs is carefully controlled

 Perform a risk assessment for code reviews conducted by Primeon
to determine the potential exposure and consider retroactively
performing background investigations of Primeon's staff

Suggested Actions (cont'd)

(511818) Letter

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and

MasterCard credit cards are accepted, also. Orders for 100 or more
copies to be mailed to a single address are discounted 25 percent.

Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e- mail message with info in the body to:

info@ www. gao. gov or visit GAO's World Wide Web Home Page at:
http:// www. gao. gov

Appendix I December 16, 1999, Briefing Before the House Committee
on Science

Page 40 GAO/AIMD-00-55 FAA's Use of Foreign Nationals

United States General Accounting Office Washington, D. C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***