Information Security

Software Change Controls at the Department of Housing and Urban Development Gao ID: AIMD-00-195R June 30, 2000

Pursuant to a congressional request, GAO reviewed the software change controls at the Department of Housing and Urban Development (HUD), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) HUD had established formal departmentwide policies and procedures that adequately addressed major aspects of their centralized software change control function; (2) the formally documented policy established a goal for the department to maintain a level 2, or repeatable, process maturity based on the Carnegie Mellon University Software Engineering Institute's Capability Maturity Model for Software; (3) however, GAO identified concerns in two related areas--contract oversight and background checks of personnel involved in software change activities; (4) agency officials were not familiar with contractor practices for software management; (5) for example, contract information on procurement method, inclusion of contract provisions for background checks of employees, and protection of code transmissions and code located at contractor facilities was not readily available; (6) this is of potential concern because all 57 of HUD's mission-critical federal systems involved the use of contractors for year 2000 remediation; (7) HUD officials told GAO that all 10 contracts for remediation services employed foreign nationals; (8) further, HUD sent code associated with one mission-critical system to a contractor facility, but agency officials could not readily determine how the code was protected during and after transit to the contractor facility, when the code was out of the agency's direct control; (9) although HUD officials told GAO that all contracts for remediation services included provisions for background checks of contractor staff, background screenings were not a routine security control at HUD for noncontract personnel involved in making changes to software; and (10) this is of concern because the Office of Management and Budget and the National Institute of Standards and Technology criteria require background screening of key staff involved with automated systems.



The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.