-------------------------Indexing Terms------------------------- 
REPORTNUM:   AIMD-OO-151R		

TITLE:     Information Security: Controls Over Software Changes at Federal Agencies

DATE:   05/04/2000 
				                                                                         
-----------------------------------------------------------------

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
United States General Accounting Office Accounting and Information
Washington, DC 20548 Management Division

B- 285184 May 4, 2OOO The Honorable Stephen Horn Chairman, Subcommittee on
Government Management,

Information and Technology Committee on Government Reform House of
Representatives

Subject: Information Securitv: Controls Over Software Changes at Federal
Agencies Dear Mr. Chairman: Controls over access to and modification of
software are essential in providing reasonable assurance that system- based
security controls are not compromised. Without proper software change
controls, there are risks that security features could be inadvertently or
deliberately omitted or rendered inoperable, processing irregularities could
occur, or malicious code could be introduced. If related personnel policies
for background checks and system access controls are not adequate, there is
a risk that untrustworthy and untrained individuals may have unrestricted
access to software code, terminated employees may have opportunity to
compromise systems, and unauthorized actions may not be detected.

This letter responds to your November 4,1999, request for information
regarding software change controls at federal agencies. In subsequent
discussions with your office, we agreed to determine whether key controls as
described in documented policies and procedures regarding software change
authorization, testing, and approval comply with federal guidance. In
addition, we agreed to determine the extent to which agencies contracted for
Year 2000 remediation of mission- critical systems and the extent to which
foreign nationals were involved in these efforts. The results of our work
are detailed on the enclosed materials, which were discussed at our April
6,2000, briefing.

To meet these objectives, we interviewed headquarters officials at 16 of the
largest federal agencies and officials at 128 of 211 major components of
these agencies. We also obtained pertinent written policies and procedures
and compared them to federal guidance issued by in the Office of Management
and Budget and the National Institute of Standards and Technology. We did
not observe agency practices or test agencies? compliance with their
policies and procedures. We performed our work from January

GAO/ AIMD- OO- 151R Software Change Controls

B- 285184 through March 2000, in accordance with generally accepted
government auditing standards.

Overall, we concluded that controls over changes to software for federal
information systems as described in agency policies and procedures were
inadequate. Specifically, we identified deficiencies in three control areas:
formal policies and procedures, contract oversight, and background screening
of personnel.

l Formally documented policies and procedures did not exist or did not meet
the requirements of federal criteria. For example, 8 of 16 agencies had not
established formal, agencywide policies for software change management, and
50 of 128 agency components had not established formal procedures or adopted
agency- level guidance.

l Based on our interviews at the 16 agencies and the 128 components,
oversight of contractors was inadequate, especially when sof! ware change
functions were completely contracted out. This is of potential concern
because 1,980 (41 percent) of 4,785 mission- critical federal systems
covered by our study involved the use of contractors for Year 2000
remediation. Of particular concern, code or data associated with 319 of
these systems were sent to contractor facilities, but agency officials could
not readily determine how such code and data were protected during and after
transit.

l Based on our interviews with agency officials and review of documented
security policies and procedures, background screenings of personnel
involved in the software change process were not a routine security control.
Of the 128 components we reviewed, 42 did not require routine background
screening of foreign national personnel involved in making changes to
software. Further, agency officials told us that 24 of 579 contracts for
remediation services did not include provisions for background checks of
contractor staff. Finally, complete data on use of foreign nationals in the
software change process were not readily available.

OMB is in the process of revising its Circular A- 130, Management of Federal
Information Resources, which contains OMB?s primary guidance to agencies on
protecting federal automated information resources. The proposed revisions
do not include any additions or modifications to agency guidance regarding
software change controls or related controls pertaining to personnel and
contract oversight practices. Because our work identified governmentwide
weaknesses in these areas, we plan to recommend, as part of a broader set of
comments on the proposed A- 130 revisions, that OMB clarify its guidance to
agencies. We will send you a copy of these comments when they are provided
to OMB.

Page 2 GAO/ AIMD- OO- 151R Software Change Controls

B- 285 184 We are sending copies of this letter to the Honorable Jim Turner,
Ranking Minority Member, Subcommittee on Government Management, Information
and Technology, House Committee on Government Reform; the Honorable Dan
Burton, Chairman and the Honorable Henry Waxman, Ranking Minority Member,
House Committee on Government Reform; the Honorable Fred Thompson, Chairman
and the Honorable Joseph Lieberman, Ranking Minority Member, Senate
Committee on Governmental Affairs; the Honorable Jacob Lew, Director, Office
of Management and Budget; and other interested parties. Copies will also be
made available to others upon request.

If you have any questions, please contact me at (202) 512- 6240 or by e-
mail at mcclured. airnd@ gao. gov, or you may contact Jean Boltz, Assistant
Director, at (202) 512- 5247 or by e- mail at boltzj. aimd@ gao. gov.

Sincerely yours, I David L. McClure Associate Director, Govemmentwide

and Defense Information Systems Enclosure

Page 3 GAO/ AIMD- QO- 151R Software Change Controls

Enclosure Briefing on Software Change Controls

Software Change Controls at Federal Agencies

Briefing to the Subcommittee on Government Management,

Information and Technology, House Committee on Government Reform

April 6,200O Page 4 GAO/ AlMD- OO- 151R Software Change Controls

Enclosure GAO - Accountability * Integrity l Reliability Briefing Overview .
Objectives, Scope, Methodology, and Criteria Applied . Observations

- Formal Policies and Procedures - Controls Over Contract Support - Controls
Over Personnel and Use of Foreign Nationals

Page 5 GAO/ AIMD- OO- 151R Software Change Controls

Enclosure e GAO

- Accountability l Integrity * Reliability Objectives The Subcommittee asked
us to gather information regarding

- agency controls to ensure that software changes were properly authorized,
tested, and approved prior to implementation;

- the extent to which federal agencies contracted out Year 2000 remediation
services; and

- the extent to which foreign nationals were involved in Year 2000
remediation.

Page 6 GAO/ AIMD- OO- 151R Software Change Controls

Enclosure EGA0

Accountability l Integrity * Reliability Scope and Methodology . We included
16 major federal agencies in our study. . We interviewed the following
officials at 128 of 211 agency

components with mission- critical systems remediated for Year 2000:

- Year 2000 program officials, - chief information office technical staff,
and - contracting officers. l We performed work in accordance with generally
accepted

government auditing standards from January through March 2000.

Page 7 GAO/ AIMD- OO- 151R Software Change Controls

Enclosure *

Accountabillty * Integrity l Reliability Scope and Methodology (con?) . We
compared formally documented agency and

component policies and procedures for software change control and personnel
security to criteria.

l We analyzed readily available information on use of contractors and
foreign nationals.

Page 8 GAO/ AI& ID- OO- 151R Software Change Controls

Enclosure GAO Accountability * lntegrlty * Reliability

Criteria The Privacy Act, the Paperwork Reduction Act, and the Computer
Security Act require agencies to protect sensitive information.

The Office of Management and Budget (OMB) Circular A- 130, Appendix III,
requires key controls for automated systems including background screening
of key staff.

The National Institute of Standards and Technology Special Publications 800-
12 and 800- 18 require management of software configuration throughout its
life cycle.

GAO?s Federal Information System Controls Audit Manual provides criteria for
assessment of critical software management elements.

Page 9 GAO/ AIMD- OO- 151R Software Change Controls

Enclosure A Observations

Formal software change management policies and procedures were lacking or
inadequate.

Remediation activities were contracted out for 41 percent of mission-
critical systems included in our study, and controls over contract support
were weak.

Data on the involvement of foreign nationals in Year 2000 remediation
efforts were not readily available. However, agency officials told us that
foreign nationals were involved in at least 85 of 579 contracts. In
addition, background screening policies were inadequate for all personnel
involved in software change management.

Page 10 GAO/ AIMD- OO- 151R Software Change Controls

Enclosure Accountablllty * lntegrlty * Reliability Formal Policies and
Procedures Are Lacking or

Inadequate l Eight of 16 agencies had not established a formal agencywide

policy or methodology for software change management. l Fourteen of 16
agencies delegated software management

responsibility to agency components that may further delegate to system
owners.

Page 11 GAOMMD- OO- 151R Software Change Controls

Enclosure GAO Accountability * Integrity * Reliability Formal Policies and
Procedures Are Lacking or

Inadequate (con?) Fifty of 128 components had not established formal
procedures or adopted agency- level guidance.

Components that had formal procedures did not always follow agency guidance
provided.

Twenty of 128 components followed different, less- controlled processes for
Year 2000 remediation than for routine software management.

Controls over access to code were weak. Page 12 GAO/ AIMD- OO- 151R Software
Change Controls

Enclosure +/#& GAO

Accountability * Integrity * Reliability Formal Policies and Procedures Are
Lacking or

Inadequate (con?) . The following key controls were frequently not
addressed:

- Documentation, approval, and testing of changes. - Maintenance and
protection of source code libraries. - Separation of duties to prevent
unauthorized changes. - Labeling and inventory of software programs. -
Monitoring and addressing unusual change activity. - Managing changes to
both system software and

application software. Page 13 GAO/ AIMD- OO- 151R Software Change Controls

Enclosure GAO Accountability * Integrity * Reliability

Weaknesses in Controls Over Contract Support There was limited federal
oversight at agencies or components where software change functions were
completely contracted out.

Agencies did not have focal points with knowledge of the extent to which
sensitive systems were exposed to contractors or foreign nationals.

Agencies sent code or data associated with 319 systems to contractor
facilities, but officials could not readily determine how such code and data
were protected during and after transit.

Agencies did not include security provisions in 24 of 579 contracts for
remediation services.

Agencies did not have the ability to control remediation of proprietary
commercial off- the- shelf software products.

Page 14 GAO/ AND- 00- 151R Software Change Controls

;& F Accountability * Integrity * Reliability Enclosure

Weaknesses in Controls Over Contract Support Systems Affected by Contracted
Remediation*

Mission- critical systems included in component sample Systems contracted
out for

Year 2000 remediation Source code sent to external facility:

Contractor facility (U. S.) Contractor facility (Non- U. S .) Another
federal facility

Number of systems

4,785 1,980 (41%)

221 ( 5%) 98 ( 2%) 233 ( 5%)

* Results are based on unaudited information provided by agency offkials.
Page 15 GAO/ AIhID- OO- 151R Software Change Controls

Enclosure GAO Accountability * Integrity * Rellabllity Weaknesses in
Controls Over Contract Support

Data on 579 Contracts Used for Remediation* Number of contracts Existing
contracts used for remediation services New contracts awarded for
remediation services Contracts with foreign ownership or

394 101

foreign controlling interest Contracts with foreign nationals on staff

8 85

* Results are based on unaudited information provided by agency offkials.
Page 16 GAO/ AIhfD- OO- 151R Software Change Controls

Enclosure A

AccountabIlity * lntegrlty * ReliabiJity Personnel Controls and Use of
Foreign Nationals . Forty- two of 128 components did not require performance
of

routine background screening of foreign nationals or personnel involved in
software change management, as required by OMB A- 130.

. Information on foreign national staff and related personnel security
controls followed was not readily available.

(511685) Page 17 GAO/ AIMD- OO- 151R Software Change Controls
*** End of document. ***