Information Security

Software Change Controls at the Department of Veterans Affairs Gao ID: AIMD-00-201R June 30, 2000

Pursuant to a congressional request, GAO reviewed the Department of Veteran Affairs' (VA) software change controls, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) the component-level policies and procedures used by VA components were adequate except the Veterans Benefits Administration did not address controlling installation of operating system software; (2) however, departmental guidance for software change control was limited to restricting access to operating system software and investigating unusual change activity; (3) the department-level policies did not address the following key controls: (a) documenting, approving, and testing software changes; (b) controlling application software libraries; and (c) monitoring changes, access to, and use of operating system software; (4) based on GAO's interviews, agency officials were not familiar with contractor practices for software management; (5) this is of some concern because VA used contract services for 40 (13 percent) of VA's 305 mission-critical systems included in GAO's review; (6) however, VA did not describe the protective controls in place to prevent unauthorized disclosure of code or unauthorized access to code; (7) therefore, GAO cannot evaluate the adequacy of these controls; (8) according to VA's comments, VA did not use the renovated code for these two mission-critical systems because the contractors had not completed the task; (9) nevertheless, as a general practice, controls over code are important during the transmission of code to a contractor facility and while at the contractor facility to prevent disclosure of code for intelligence gathering by malicious individuals; (10) VA officials told GAO that the nine contracts for year 2000 remediation services did not include provisions for background screening of personnel; (11) this is a potential concern because one contract for remediation of source code for a Veterans Health Administration project management system involved a foreign national; and (12) also, Office of Management and Budget and National Institute of Standards and Technology criteria require background screening of key staff involved with automated systems.

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.