Information Security

Pursuant to a congressional request, GAO reviewed software change controls at the Department of the Treasury, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) according to Treasury officials, departmental components routinely performed background screenings of federal and contractor personnel involved in software changes, and all 12 components that contracted for year 2000 remediation services included security provisions in contracts requiring background screenings of personnel; (2) however, GAO identified weaknesses related to formal policies and procedures and contract oversight; (3) Treasury's departmentwide guidance does not detail required software change control processes; (4) however, Treasury's Information System Life Cycle Manual, currently under revision, lists some activities that Treasury's components may implement, including change control; (5) seven of the 14 components covered in the review had formally documented procedures; (6) however, GAO's review of procedures for 6 of these components found that they did not adequately address key controls, such as: (a) documentation, approval, and testing of changes; (b) controls over application software libraries; (c) operating system software access; (d) monitoring and changes; and (e) personnel controls; (7) Financial Management Service (FMS) officials stated that a formally documented process was in place, but did not provide any documentation for GAO's review; (8) prior GAO reports have shown that FMS software management had been delegated to FMS data center sites and, of those sites visited, most either had not established policies and procedures, had adopted inadequate policies and procedures, or were not following the policies and procedures in place; (9) GAO found the remaining 7 of 14 components did not have a formally documented process for software change control; (10) agency officials were not familiar with contractor practices for software management; (11) this is of potential concern because 259 (84 percent) of 310 Treasury mission-critical systems covered by the study involved the use of contractors for year 2000 remediation; (12) six contracts at the Chief Information Office (CIO), U.S. Mint, Office of Thrift Supervision (OTS), and Internal Revenue Service (IRS), involved hiring of foreign nationals; (13) for example, at OTS, remediation of all 15 mission-critical systems involved foreign nationals; (14) also, according to an agency official, the Financial Crimes Enforcement Network (FinCEN) contractors were not required to disclose the country of their citizenship; and (15) at CIO, FinCEN, IRS, and U.S. Customs Service, complete data on the involvement of foreign nationals in software change process activities were not readily available.