Information Security

Pursuant to a congressional request, GAO reviewed software change controls at the Department of Defense (DOD), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) background screenings of personnel involved in the software change process were a routine security control for federal, contractor, and foreign national personnel involved in making changes to software; (2) further, officials told GAO that all 57 contracts for remediation services of 253 mission-critical systems included provisions for background checks of contractor staff; (3) this is important because GAO found that foreign nationals were involved in two contracts with the Navy; (4) GAO found weaknesses regarding formal policies and procedures and contract oversight; (5) departmentwide guidance did not exist and development and implementation of software change policies had been delegated to DOD components; (6) GAO identified several deficiencies in these component-level procedures; (7) specifically, the Washington Headquarters Services (WHS) had no formal procedures for software change controls; (8) procedures for the three components reviewed did not address operating system software changes, monitoring, and access or controls over application software libraries, including access to code, movement of software programs, and inventories of software; (9) agency officials were not familiar with contractor practices for software management; (10) at headquarters and at six of the components (all except the Defense Intelligence Agency (DIA), the Defense Logistics Agency (DLA), and WHS), complete data on contracts used in software change process activities were not readily available; (11) this is of potential concern because 253 of DOD's mission-critical systems covered by GAO's study involved the use of contractors for year 2000 remediation; (12) for example, six components (the Defense Finance and Accounting Service, DIA, DLA, Air Force, Navy, and the United States Marine Corps (USMC)) sent code or data associated with 79 mission-critical systems to contractor facilities, including code associated with 36 Navy systems and 5 modules of a USMC personnel system sent to a foreign-owned contractor facility; and (13) agency officials could not readily determine how the code and data were protected during and after transit to the contractor facility when the code was out of the agency's direct control.