Computer Security

Under the Computer Security Act of 1987, federal agencies must identify computer systems containing sensitive information and come up with plans to safeguard them. Most federal agencies have security controls in place for sensitive computer systems. Over the last two years, the percentage of implemented controls has risen from 78 percent to 92 percent. In addition, agencies have instituted 88 percent of applicable controls for nine new systems GAO reviewed. Agency officials have said that some new controls have yet to be implemented because (1) the systems are undergoing changes that may affect existing security controls, (2) the agencies are improving security controls, and (3) one new system is in the early stages of development. Most agencies continue to believe that security planning increases management awareness of computer security. They also believe that visits by the Office of Management and Budget and others, in which technical advice and other assistance may be offered, strengthen management commitment to computer security.

GAO found that, as of January 1992, the agencies: (1) had implemented about 88 percent of planned controls for 27 systems; and (2) reported that 44 planned security controls remained for implementation, and attributed implementation delays to system changes that could affect security controls, security control improvements, and systems in early development stages. GAO also found that: (1) agency officials frequently cited increased management awareness of computer security as a benefit of the planning process; and (2) agencies' preparations for site visits from the Office of Management and Budget, National Institute of Standards, and National Security Agency also increased senior-level management awareness.