Information Security

Pursuant to a congressional request, GAO reviewed software change controls at the Department of the Interior, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) GAO identified weaknesses in Interior's formal policies and procedures, contract oversight, and background screening of personnel; (2) according to Interior officials, Interior had no formal departmentwide software change control policy; (3) instead, each component developed its own change control policy; (4) of the 5 component policies GAO reviewed, only the Bureau of Land Management and the Office of Surface Mining (OSM) had formally documented change control policies; (5) the Bureau of Indian Affairs, the National Business Center-District of Columbia, and the Bureau of Reclamation (BOR) had policies to control year 2000 remediation changes, but they had no formally documented process for change control during routine operations; (6) GAO found that Interior officials were not familiar with contractor practices for software management; (7) this is of particular concern because Interior contracted for year 2000 software change activities for 41 percent of 87 Interior mission-critical federal systems requiring year 2000 remediation; (8) for example, BOR sent code associated with a mission-critical system to a contractor's facility, and the BOR official did not have information available on how the code was to be protected during and after transit to the contractor facility, when the code was out of BOR's direct control; (9) based on GAO's interviews and review of documented security policies and procedures, that background screenings of personnel involved in the software change process were not a routine security control; (10) of the 12 Interior components that GAO reviewed, only the Minerals Management Service (MMS) and the U.S. Geological Survey required routine background screening of foreign national personnel involved in making changes to software; (11) officials at BOR, the National Business Center in Reston, National Park Service (NPS), and OSM told GAO that 6 of 7 contracts for remediation services at these components did not include provisions for background checks of contractor staff; (12) a MMS official told GAO that one contractor MMS used for year 2000 remediation employed foreign nationals; and (13) DOI's Office of Special Trustee and NPS each had a mission-critical system developed, remediated, and maintained at the contractors' facilities, and DOI officials did not know whether the contractors employed foreign nationals to work on the code.